[SpaethCo]

If there's a MitM attack, you've already lost. Sure, they can only login one time, but they're in once you provide the authentication steps.

Phishing sites collecting and using the 2FA creds in real time was discussed here, among other places: https://security.stackexchange.com/questions/161403/attacker...

With available open source like https://github.com/ustayready/CredSniper readily available, you're only going to stop lazy phishing attempts.

You only get protection if you assume the scripts are just passively collecting information for use at a later time. If they're actively logging in to establish sessions while they're phishing, it's game over.

[toasterlovin]

But don't many sites require a second authentication to modify access to the account (change password, add collaborator, etc)? In that case, an attacker would need a second one-time code.

[joshuamorton]

Normally I believe they just require the password. The threat model there is someone leaving their account logged in.

[toasterlovin]

> Normally I believe they just require the password.

Shoot, you're right. Not sure what I was thinking. My bad.

[testvox]

Yeah that's why codes don't make for a good second factor. You should use something like Fido or a client cert such that a MitM can't continue to impersonate the client.