zlacker

[return to "A Tour of WebAuthn"]
1. ggm+sm[view] [source] 2024-12-26 22:01:16
>>caust1+(OP)
It interested me how quickly all of my auth methods started to include "pick the right one of three presented numbers" tests after TOTP got widespread. I'm guessing there is some replay method which they wanted to prevent? This is distinct from in protocol large random value challenges, it must be to ensure a Hooman, or very numerate dog is actually present.
◧◩
2. hirsin+sC[view] [source] 2024-12-27 01:15:41
>>ggm+sm
Pick the right number is not secure (enough), unfortunately - MFA exhaustion leads to users hitting one of three at random in an attempt to "make the notifications stop" (that are, naturally, being spammed by the attacker with a password but no mfa).

The attacker just has to spam them a few dozen times to get the victim to pick the right one at random and let the attacker in.

This is why it's switched on good platforms to "type in the number you see", which mitigated this.

◧◩◪
3. lxgr+UP[view] [source] 2024-12-27 04:49:45
>>hirsin+sC
That's slightly better against people essentially accidentally letting attackers in, but still completely phishable by e.g. tech support scammers.

The big advantage of WebAuthN is that (at least for sane implementations, including all I've seen) there just is no way to enter an attacker-provided number and/or supply a displayed code to an attacker.

[go to top]