• Polar@lemmy.ca
    link
    fedilink
    arrow-up
    3
    ·
    2 years ago

    How is a TOTP not secure? It’s a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.

    • Enekk@lemmy.world
      cake
      link
      fedilink
      arrow-up
      7
      ·
      edit-2
      2 years ago

      The attack vector is as follows:

      1. Evil.com phishes a user and asks for username and password for Good.com
      2. Evil.com immediately relays those credentials to Good.com
      3. Good.com asks Evil.com for TOTP
      4. Evil.com asks victim for TOTP
      5. Evil.com relays TOTP to Good.com and does a complete account takeover

      The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it’ll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).