|
|
|
|
|
|
by theluketaylor
1465 days ago
|
|
|
Push notification 2FA certainly has some UX benefits over manually entering a TOTP, but there are documented cases of attackers gaining access by triggering the 2nd factor push and a user dutifully pressing "approve". Office365 is an especially bad vector for this risk as it prompts for auth throughout the day at seemingly random intervals while using o365 services. Users are trained to hit accept to keep going even if there isn't a password entry dialog that obviously triggered the 2nd factor ask. WebAuthN makes this a moot point though. All the auth is handled under the hood. There is no password or TOTP code to enter and yet in the right setup can be 2FA with minimal user interaction. The keys are stored resident on your device (something you have) and there is interaction to unlock them (finger/are or PIN/know). Best of all it's unphishable since the keys are unique per domain, so lookalike domains won't work. |
|
|