zlacker

[parent] [thread] 4 comments
1. esseph+(OP)[view] [source] 2025-07-25 23:59:10
TOTP is able to be intercepted on the device.
replies(1): >>bramha+W
2. bramha+W[view] [source] 2025-07-26 00:06:11
>>esseph+(OP)
Yes, and that's also true for SMS messages and your passwords. That is why having MFA is important.
replies(1): >>esseph+h6
◧◩
3. esseph+h6[view] [source] [discussion] 2025-07-26 00:56:10
>>bramha+W
You can't intercept a passkey in the same way.

It is also far less likely to be phished, and there is nothing transmitted.

TOTP is the modern WPA2 of security - it's just not good enough when better alternatives exist.

replies(1): >>lieuwe+tR
◧◩◪
4. lieuwe+tR[view] [source] [discussion] 2025-07-26 11:31:06
>>esseph+h6
What kind of risk profile does one have when it is likely that both the password is known and malware has been installed on the phone, but also just access to an ephemeral login session by the attacker (which could be obtained even when using a secure enclave by waiting for the user to authenticate by themselves) would not be enough?
replies(1): >>esseph+zp1
◧◩◪◨
5. esseph+zp1[view] [source] [discussion] 2025-07-26 16:44:03
>>lieuwe+tR
> password is known

What password?

[go to top]