Hacker News new | ask | show | jobs
by tomtoise 3230 days ago
Forgive the naive question, but would 2FA completely mitigate this attack, assuming that the org trying to access a key vault did not have access to the 2FA device?
1 comments
xxkylexx 3230 days ago
No. This article describes an attack where the user has already gained access to the encrypted database, which assumes they have already subverted 2FA.
link
tomtoise 3230 days ago
Ah. Thanks. So the idea is to stop the user before they get that far, I suppose.

Doesn't this hark back to "If the attacker has local access, it's already game over"?

link
annabellish 3230 days ago
Not really, the databases are designed to be effectively public information. The security comes from the encryption, not OS-level file permission controls!
link
jezclaremurugan 3230 days ago
Has local access plus has a weak master password.
link