Dňa 20. novembra 2022 17:55:18 UTC používateľ Ken Simpson <[email protected]> napísal: >One-time passwords can always be man-in-the-middle'd, since there's no way >for the user to determine whether or not there is someone in the middle >snooping their OTP and password. The phishing attack only has to deceive >the user into entering their password and their OTP, both of which can then >be forwarded to the real login page behind the scenes.
Now we are back on start (my first message), that OTP solves problem only partially -- user doesn't need to take action, as passwords will expire soon, often sooner, than would be password changed by user. And by this, OTP doesn't solves sending SPAM from leaked passwords + OTP as while token is valid, they can misuse victim's account and send tons of SPAMs in relative short time. And one still have to apply some form of rate limiting... >Still, OTP is considered better than SMS because of attacks on the mobile >infrastructure that allow bad guys to potentially receive your SMS >messages, whereas the OTP code is generated directly on your device. I am aware of SMS weakness, in theory (i never tried) i am able to realize it, not needed to discuss this. >Hopefully, WebAuthn <https://www.w3.org/TR/webauthn-2/> gains traction, >making passwords irrelevant by allowing devices to maintain a secure >authentication key for each website within a trusted execution environment >such as Apple's so-called "Secure Enclave." Hmm, i am not aware of that and i am not sure, if i want to leave browser (or device) to decide if i am logged in or not. As soon or latter it will be misused and leave users in middle state -- you will not be logged in, but site will be able to identify you. Anyway, at first look it seems to do SPAM flood from compromised devices even simpler, and you will see real user's IP on server side. regards -- Slavko https://www.slavino.sk/ _______________________________________________ mailop mailing list [email protected] https://list.mailop.org/listinfo/mailop
