|
|
|
|
|
|
by AgentME
2557 days ago
|
|
|
Google 2-Step Verification is vulnerable to phishing just like TOTP is. You can go to a phishing site without realizing it's not Gmail, you enter your username and password, the phishing site gives those to Gmail on your behalf, the phishing site causes 2-Step Verification to happen, and Google sends a push notification to your phone for you to let the attacker into your account. (I believe Apple's default 2FA mentioned by GP works the same way.) Security keys (and the newer project from Google to let your phone act as one over bluetooth) don't have this vulnerability because they connect right to your computer and talk to your browser (and not the attacker's) to verify the domain you're accessing. |
|
|
How does the security key/browser pair communicate without involving the site? Does it involve more of Google's interference then? While I know you're not saying "yes" to the site, isn't the key doing roughly the same thing?