|
|
|
|
|
|
by scarhill
3095 days ago
|
|
|
As it happens, I switched from Google Authenticator to LastPass Authenticator a few days ago. The app has a feature that allows you to require a PIN or fingerprint in order to use it. That feature is disabled by default. (Note that Google Authenticator has no such feature.) As I understand it, this attack allows someone with access to my unlocked phone to install a activity launcher app and then generate 2FA codes without supplying a PIN or fingerprint. Actually, for my phone they wouldn't need to bother with the launcher app, because I didn't enable the additional fingerprint/PIN feature--it seems to reduce convenience while adding little security. Still, it's definitely a bug. They should either fix it or remove the feature so people aren't misled into thinking their two-factor codes are secure when they're not. |
|
|