Hi, As Collin mentioned, my question is simple and the only person answered it is Nadim. I know all of staff that you said but I want to know the lifetime of the code that Google sends via SMS.
I know the code lifetime for the Google Authenticator apps is around 32 seconds but I don't have any idea about the SMS code. Thanks, Amin On 28 August 2014 01:05, Collin Anderson <col...@averysmallbird.com> wrote: > In this case, it appears that the victims were deceived by a well-attended > phishing campaign into giving up both their password and their SMS-provided > 2FA code. Amin is simply asking what the lifetime of that code is, since it > is not nearly as short as the Authenticator-provided number. > > > On Wed, Aug 27, 2014 at 6:46 PM, John Adams <j...@retina.net> wrote: > >> I don't know where you're getting your information from, but I audited >> Google's 2FA when I worked at Twitter. The attack scenario that is >> described here is simply not possible without the endpoint being >> owned. >> >> Code replay is not possible. Once a code is accepted, it cannot be >> used again to log in. >> >> The SMS attack is substantially more likely, but you can disable SMS >> codes in preferences. You should not use SMS at all if you can avoid >> it. >> >> Additionally, in order to get past 2FA, the attacker would have to >> have the user's password. All of this points to some sort of remote >> access tool or keylogger being active on the activist's machine. >> >> -j >> >> >> On Wed, Aug 27, 2014 at 10:08 AM, Nadim Kobeissi <nadim@nadim.computer> >> wrote: >> > The two-step verification used by Google is based on the TOTP protocol >> [1] >> > which is the open standard for this sort of thing. >> > >> > To answer your questions Amin: >> > >> > 1. Tokens last 60 seconds according to the TOTP standard. >> > 2. Your journalist friends would be very well-advised to use an app [2] >> > instead of SMS codes. By using an authenticator app, they will be able >> to >> > obtain codes without using SMS and even with their phone completely not >> > connected to a network. >> > >> > [1] http://tools.ietf.org/html/rfc6238 >> > [2] https://support.google.com/accounts/answer/1066447?hl=en >> > >> > >> > >> > On Wed, Aug 27, 2014 at 11:29 AM, Amin Sabeti <aminsab...@gmail.com> >> wrote: >> >> >> >> Hi, >> >> >> >> Recently, a bunch of Iranian journalists/ activists have been targeted >> by >> >> Iranian hackers. >> >> >> >> Some of them said their 2-step verification was active during the >> attack >> >> but hacker could reuse the code that sent by Google via SMS and passed >> >> 2-step verification! >> >> >> >> I was wonder to know if some folks here know the validation time for >> the >> >> 2-step verification code that users receive through SMS not the app. >> >> >> >> Cheers, >> >> >> >> Amin >> >> >> >> -- >> >> Liberationtech is public & archives are searchable on Google. >> Violations >> >> of list guidelines will get you moderated: >> >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, >> >> change to digest, or change password by emailing moderator at >> >> compa...@stanford.edu. >> > >> > >> > >> > -- >> > Liberationtech is public & archives are searchable on Google. >> Violations of >> > list guidelines will get you moderated: >> > https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, >> > change to digest, or change password by emailing moderator at >> > compa...@stanford.edu. >> -- >> Liberationtech is public & archives are searchable on Google. Violations >> of list guidelines will get you moderated: >> https://mailman.stanford.edu/mailman/listinfo/liberationtech. >> Unsubscribe, change to digest, or change password by emailing moderator at >> compa...@stanford.edu. >> >> > > > -- > *Collin David Anderson* > averysmallbird.com | @cda | Washington, D.C. > > -- > Liberationtech is public & archives are searchable on Google. Violations > of list guidelines will get you moderated: > https://mailman.stanford.edu/mailman/listinfo/liberationtech. > Unsubscribe, change to digest, or change password by emailing moderator at > compa...@stanford.edu. >
-- Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: https://mailman.stanford.edu/mailman/listinfo/liberationtech. Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu.
