Why not demand HTTPS?
-
-
-
I think we should. Working on revising.
Kraj razgovora
Novi razgovor -
-
-
Nice!! We should partner with you on this.
-
I was hoping you’d say this!
- Još 1 odgovor
Novi razgovor -
-
-
Android already seems to be doing something similar: https://developers.google.com/identity/sms-retriever/overview … Your proposed format looks less confusing to human readers, so I'm all for it!
-
We’ve been collaborating with Google on this proposal and are hoping to see a unified approach here.
- Još 1 odgovor
Novi razgovor -
-
-
The issue is this approach does not (and can't) to mitigate against SIMSwap threat or SS7 attacks. MNOs have terrible processes for ID & V and so easy to obtain a new SIM and collect the SMS OTPS. If you need out of band then Push Authn (with secure provisioning) is the only way
- Još 1 odgovor
Novi razgovor -
-
-
Regarding hardening, but from the opposite side: couldn’t the website field get an attribute that restricts caller IDs? E.g., assuming http://paypal.com : autocomplete="one-time-code, ;require-match-caller-ids=72972” // only fill a code if it comes from a PayPal SMS account
-
Maybe. Just so I’m clear, what problem are you trying to solve?
- Još 3 druga odgovora
Novi razgovor -
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.
They/them, nonbinary, friend.
about app and website authentication at Apple.