Hacker News new | ask | show | jobs
by kozziollek 2886 days ago
Would it be possible to reverse order?

I mean: 2fa-code, login, password instead of: login, password, 2fa-code. Maybe login could be automatically filled based on 2fa-code public key? That should prevent leaking password to fake page.
2 comments
tialaramex 2886 days ago
You need the login first.

A cheap Security Key has no idea what public key it told you to use when registering.

There's a cute trick here. When you tell a key "Hi, authenticate please" you must send it a "cookie" it gave you during registration. Now this could in theory be some pointer it uses or whatever. But in fact it's actually the private key it will use to authenticate, encrypted with its own baked in secret key. It decrypts that, then authenticates. But if you don't know which user you're authenticating you can't send their cookies, you'd have to try every cookie for every user. Not fast.

If every user uses WebAuthn then just a login (username or email address or something) is enough. But if some just have passwords then doing anything before the password step gives away what's up.

link
trash_panda 2885 days ago
An interesting solution could be to first enter the username, then the OTP/Key, then the password. I haven't given it a lot of thought and can't find anything wrong with it.
link
crunchatized 2885 days ago
Like GP said, that would give away which accounts have WebAuthn enabled on them, since those without it would send you straight to the password prompt instead.

But more importantly, phishing sites will always tell you 'your key succeeded. Enter your password next' regardless, so this doesn't protect against password disclosure at all.

link
ufmace 2885 days ago
Nope, because you'd be relying on the fraudulent phishing page to tell you that.

Real page: Give me login You: Login Real page: Good login, press your 2fa to authenticate You: Press Real page: Good 2fa, enter your password You: Password

Versus:

Fake page: Give me your login You: Login Fake page: Good login, press your 2fa to authenticate You: Press Real page: Good 2fa (wink wink), enter your password You: Password

The fake page wouldn't have a working login to the real page because the 2fa would be wrong, but it would still have your password.

link