Hi Slavko Not all 2FA approaches are equal. The most robust 2FA systems are ones in which both the service and the second-factor client robustly authenticate each other. Two-way authentication eliminates the possibility that someone can sit in the middle of the second-factor exchange to gain access.
For example, if SMS is used as the second factor, an attacker can present a convincing website that collects your password and forwards it to the service you are trying to log in to. That convincing website can also ask you for the SMS code the service sends to your device, passing the second factor along and completing the login. The same goes for OTP systems like Authy or Google Authenticator. With the advent of the secure enclave and other trusted execution environments in mobile devices, services can now rely on an encrypted exchange with your mobile device as the second factor. Many large, frequently phished services, such as Google and Adobe, provide a dedicated authentication app that fulfills this purpose. Enterprise options like Duo perform the same function. Fido U2F keys are yet another very secure 2FA option. These devices participate in a secure exchange with the service, with the web browser only acting as an intermediary to carry encrypted data between the hardware key and the service itself. A phishing site would not gain anything of value by intercepting the hardware key's information because the data is encrypted directly with the service and cannot be tampered with by an intermediary. Unfortunately, authentication is only as secure as the weakest link. If a service offers a weak two-factor option, some users will opt for that, and their accounts will be less secure and more open to phishing. Regards, Ken On Sat, Nov 19, 2022 at 7:51 AM Slavko via mailop <mailop@mailop.org> wrote: > Hi all, > > recently i search in github projects to find some tools/templates for > phishing messages as i want to train my colleagues (i am not > interested in real phishing). > > As result i found one Go project for that, but i found a lot of projects, > which declares itself as for training/learning of course, with pished > sites templates/copies and some of them declares, that they are > able even to get 2FA OTPs. I have no links to them and i didn't inspect > in details how it works as i am not interested in that. I only remember, > that they catch OTPs too by some way in their site copies. > > But my curiousity grows with time in topic what 2FA solves then, > thus i want ask about it here, in hope to better understand it. > > Please, can it be really as "simple"? If yes, then my inderstanding is, > that 2FA doesn't solves leaked passwords problem, as asvertised > by many sites, but it solves only that this problem will be selfsolved > as token expires (week or two), without user's password changes. > Is my understanding right? > > If yes, then 2FA is not holly grail of solving the SPAM & leaked > passwords problem, as attacker can send a lot of SPAM via this > phished account (ignore rate limiting for now) until OTP expires. > Right? > > Or i miss something? > > thanks > > -- > Slavko > https://www.slavino.sk/ > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://list.mailop.org/listinfo/mailop > -- Ken Simpson CEO, MailChannels <https://www.mailchannels.com/?utm_source=Email%20Signature&utm_medium=Ken%20Simpson&utm_campaign=Website> Facebook <http://bit.ly/2dnoP3K> | Twitter <http://bit.ly/2ehoWni> | LinkedIn <http://bit.ly/2dw87lU> | Help Center <https://mailchannels.zendesk.com/hc/en-us?utm_source=Email%20Signature&utm_medium=Ken%20Simpson&utm_campaign=Help%20Center> Our latest case study video: watch here! <https://www.youtube.com/watch?v=psb41xDIL9k>
_______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop