Subj : Google to turn on 2FA
To   : August Abolins
From : Arelor
Date : Fri Oct 08 2021 05:38:08

  Re: Google to turn on 2FA
  By: August Abolins to Arelor on Thu Oct 07 2021 10:55 pm

 > I learned this:
 > 
 > [1]
 > 
 > TOTP values can be phished like passwords, though this requires
 > attackers to proxy the credentials in real time.[a]
 > 
 > [a] Umawing, Jovi (21 January 2019). "Has two-factor
 > authentication been defeated? A spotlight on 2FA's latest
 > challenge". Malwarebytes Labs. Archived from the original on 25
 > September 2020. Retrieved 9 August 2020.
 > 
 > [2]
 > 
 > An attacker who steals the shared secret can generate new,
 > valid TOTP values at will. This can be a particular problem if
 > the attacker breaches a large authentication database.[b]
 > 
 > [b] Zetter, Kim. "RSA Agrees to Replace Security Tokens After
 > Admitting Compromise". WIRED. Archived from the original on 12
 > November 2020. Retrieved 17 February 2017.
 > 
 > 
 > I'd rather use SQRL.

I didn't say it was bulletproof or necessarily a good idea.

My experience with OTP systems is that they make support tickets skyrocket because
people is very good at losing their OTP credentials, and those are not as easy to
reset as passwords.

I have a Nitrokey Storage 2 which I got for Linux Magazine work (article coming next
year) and I was testing OTPs with it. I think they have some value but they are not as
great as they are hyped up to be.

--
gopher://gopher.richardfalken.com/1/richardfalken
--- SBBSecho 3.14-Linux
 * Origin: Palantir * palantirbbs.ddns.net * Pensacola, FL * (618:250/24)

.