|
|
|
|
|
|
by deathanatos
3132 days ago
|
|
|
> A backdoor can sit around and wait for the user to press the button. There exist 2FA protocols[1] that permit tying the 2FA challenge to a particular context: you can't just take the response from the 2FA hardware and use it anywhere. In this regard, the malware doesn't get anything more than what they already have, and the 2FA still adds protection: if the malware is able to compromise your password (e.g., through keylogging) it doesn't immediately get access to everything you have access to. Now, of course, if you 2FA for some resource, then yes, at that point, you're probably doomed, but I don't believe that gets the malware anything new (e.g., once the auth is complete, if that results in a "user is logged in" cookie, the malware could just read that, and go to town.) Compromise of a local machine is definitely bad, and not what you want, but 2FA tokens are not useless, even in that situation. [1]: https://developers.yubico.com/U2F/Protocol_details/Overview.... |
|
|