Comments
ha, yeah lets replace passwords with codes sent via fuckin email. a service with security as a patchwork of bolt-on crap that barely works and is itself dependent on other services where security was an afterthought… like DNS.
awesome!
If I get the reply from @melmi@lemmy.blahaj.zone right, the medium doesn’t matter. As in this scenario, you are telling the fake service yourself the secret code.
Email is more secure than SMS and we use that too!
haha yeah i totally forgot about that ridiculously insecure part!
i bet thats why they are attempting to retire the sms piece and push everyone to an ‘authenticator’ app
An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can’t know for sure if the code is supposed to be entered in the right place. Password managers (a usual defense against phishing) can’t help you either.
I don’t understand. Is the email already compromised? Gmail requires 2 factor authentication via android to log into your email on new devices so there’s that.
No, this is a phishing attack. Attackers create a fake website that asks for your email. You give your email, then they relay that address to the legitimate service. The legitimate service sends you an email with a code. The fake service asks for that code. If you give it, they then own your account.
Ah thank you. Makes much more sense.
That’s how password recovery works on most services. So if it’s any consolation, it’s not a new security vulnerability. We are just skipping the charade where I pretend to remember a password.
