zlacker

[return to "A Tour of WebAuthn"]
1. ggm+sm[view] [source] 2024-12-26 22:01:16
>>caust1+(OP)
It interested me how quickly all of my auth methods started to include "pick the right one of three presented numbers" tests after TOTP got widespread. I'm guessing there is some replay method which they wanted to prevent? This is distinct from in protocol large random value challenges, it must be to ensure a Hooman, or very numerate dog is actually present.
◧◩
2. g_p+Ps[view] [source] 2024-12-26 23:08:48
>>ggm+sm
TOTP codes are phishable and repayable in real-time - both via web (visiting the wrong site which asks for a TOTP and relays it within a few seconds), and via social engineering over the phone (give us one of the codes to prove it's you and we can keep your account safe).

Adding number matching or similar helps ensure that the same user is initiating the session as is approving it - an issue when people discovered that Microsoft (among others) would do push messages to authenticate a login, and that users (if spammed late at night with constant requests), would often eventually hit allow to stop the notifications.

[go to top]