Reminder that this isn't just SMS 2FA; TOTP, HOTP, Push Notification login approvals, and similar schemes are equally worthless at preventing phishing, and any vendor telling you otherwise is peddling snake oil.https://twitter.com/seanieb/status/1081943785486123009 …
-
-
Hmm, hold on. Don’t yubikeys protect against that kind of attack by clever use of domain-specific cookies? And couldn’t you do the same thing with push notifications and a phone app? I doubt anyone does. But I feel like it should work.
-
You can be sure the notification gets delivered to the right phone but you can't be sure that the user is looking at your page. That's what the domain-specific keys in U2F do.
- 9 more replies
New conversation -
-
-
Oh. Right. ._.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.