Just me or is 2FA still basically unsolved? SMS is too easily hackable but Auth apps are tied to your physical lose-able phone. Best solution we've got is printing out recovery codes on dead tree paper and saving them in the bank vault that we all obviously have?
-
-
because a FIDO key is also paired to the websites TLS certificate?
-
The key generates a digital signature that includes the domain name of the current page. The phishing site can forward the signature to the real site, but it won't validate because it will contain the phishing domain, not the real domain.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.