I don't know where you're getting your information from, but I audited Google's 2FA when I worked at Twitter. The attack scenario that is described here is simply not possible without the endpoint being owned.
Code replay is not possible. Once a code is accepted, it cannot be used again to log in. The SMS attack is substantially more likely, but you can disable SMS codes in preferences. You should not use SMS at all if you can avoid it. Additionally, in order to get past 2FA, the attacker would have to have the user's password. All of this points to some sort of remote access tool or keylogger being active on the activist's machine. -j On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi <nadim@nadim.computer> wrote: > The two-step verification used by Google is based on the TOTP protocol [1] > which is the open standard for this sort of thing. > > To answer your questions Amin: > > 1. Tokens last 60 seconds according to the TOTP standard. > 2. Your journalist friends would be very well-advised to use an app [2] > instead of SMS codes. By using an authenticator app, they will be able to > obtain codes without using SMS and even with their phone completely not > connected to a network. > > [1] http://tools.ietf.org/html/rfc6238 > [2] https://support.google.com/accounts/answer/1066447?hl=en > > > > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti <aminsab...@gmail.com> wrote: >> >> Hi, >> >> Recently, a bunch of Iranian journalists/ activists have been targeted by >> Iranian hackers. >> >> Some of them said their 2-step verification was active during the attack >> but hacker could reuse the code that sent by Google via SMS and passed >> 2-step verification! >> >> I was wonder to know if some folks here know the validation time for the >> 2-step verification code that users receive through SMS not the app. >> >> Cheers, >> >> Amin >> >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, >> change to digest, or change password by emailing moderator at >> compa...@stanford.edu. > > > > -- > Liberationtech is public & archives are searchable on Google. Violations of > list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, > change to digest, or change password by emailing moderator at > compa...@stanford.edu. -- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.