yanNov 14, 2022

nobody:

absolutely nobody:

yubikey: cccjgjgkhcbbcvchfkfhiiuunbtnvgihdfiktncvlhck

Show threadGlyphNov 15, 2022
@bcrypt i always just thought these were funny until I found out they were dangerous https://xeiaso.net/blog/push-2fa-considered-harmful
Push notification two-factor auth considered harmful

Push notification two-factor auth considered harmful - Xe's Blog

Xe's Blog
Show threadijk64
@glyph @bcrypt TLDR:
“Unlike SMS or email OTPs, which typically expire after a short period, Yubikey OTPs are valid until they, or a later generated code, are used for authentication. Until then, your authentication is vulnerable to a buffered replay attack”
(I’d forgotten this!)
Nov 15, 2022 at 7:56amWeb