zlacker

[parent] [thread] 5 comments
1. jsprog+(OP)[view] [source] 2015-10-19 01:25:14
Also, how will sending a new password to your cell phone help? If you are dealing with state sponsored actors, why not assume they can see all text and email?
replies(2): >>Lafore+d >>johnco+c1
2. Lafore+d[view] [source] 2015-10-19 01:27:45
>>jsprog+(OP)
A two-factor authentication token to sent via text, not the actual password.

That said, I find SMS-based 2FA to be pretty dodgy as well. Cloudflare was hacked once by somebody who managed gain access to an admin's mobile phone by social engineering their telco. If a site does not offer TOTP based 2FA I usually don't bother using it.

replies(2): >>jsprog+O >>suneil+F2
◧◩
3. jsprog+O[view] [source] [discussion] 2015-10-19 01:39:06
>>Lafore+d
I didn't say the actual password. The page wasn't very forthcoming on all the details, but a 2FAT is typically just a very short, temporary password.
4. johnco+c1[view] [source] 2015-10-19 01:49:43
>>jsprog+(OP)
If the actor is not sponsored by a state that would have easy access to your telecom (e.g. you live in the US but the attack is from a hacker sponsored by China) this is still very helpful.
◧◩
5. suneil+F2[view] [source] [discussion] 2015-10-19 02:24:58
>>Lafore+d
How does TOTP compare to HOTP?
replies(1): >>Lafore+1a
◧◩◪
6. Lafore+1a[view] [source] [discussion] 2015-10-19 04:57:17
>>suneil+F2
HOTP tokens does not expire with time, so there is a bigger risk of them being stolen from transit/storage and successfully used.
[go to top]