On 2022-11-20 at 18:58 +0000, Slavko via mailop wrote: > Dňa 20. novembra 2022 17:55:18 UTC používateľ Ken Simpson < > ksimp...@mailchannels.com> napísal: > > One-time passwords can always be man-in-the-middle'd, since there's > > no way > > for the user to determine whether or not there is someone in the > > middle > > snooping their OTP and password. The phishing attack only has to > > deceive > > the user into entering their password and their OTP, both of which > > can then > > be forwarded to the real login page behind the scenes. > > Now we are back on start (my first message), that OTP solves problem > only partially -- user doesn't need to take action, as passwords will > expire soon, often sooner, than would be password changed by user. > > And by this, OTP doesn't solves sending SPAM from leaked passwords > + OTP as while token is valid, they can misuse victim's account and > send tons of SPAMs in relative short time. And one still have to > apply some form of rate limiting...
An OTP would be valid for *seconds*. Maybe even *minutes*. That greatly reduces the risks of password stealing. Of course, a system could require an OTP for login, but once the attacker authenticates "live", the session might end up open at the bad guy browser for months... > > > Hopefully, WebAuthn <https://www.w3.org/TR/webauthn-2/> gains > > traction, making passwords irrelevant by allowing devices to > > maintain a secure authentication key for each website within a > > trusted execution environment such as Apple's so-called "Secure > > Enclave." > > Hmm, i am not aware of that and i am not sure, if i want to leave > browser (or device) to decide if i am logged in or not. As soon or > latter it will be misused and leave users in middle state -- you will > not be logged in, but site will be able to identify you. Webauthn uses a "device" which will provide an authentication _for a given website_. That should remove the risk of leaking your password to a fake website, as it would be a different url. > _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop