|
|
|
|
|
|
by fragmede
1419 days ago
|
|
|
U2F ("Yubi") doesn't have a "password" that's exposed to the user (you), so the attacker would have to steal it in order to get its password. Meanwhile, two passwords are basically the same as having one long password, and if the attacker gets that, then they're in. (Yes, if the attacker can factor very large prime numbers, then they can get the "Yubi password", but if they can do that, there's a lot of bitcoin they could steal.) U2F also signs the auth with the site's domain name, so even if the user tries to log into faceb00k.com (zeros), U2F won't let the attacker reuse the credentials on facebook.com. This does require that you actually lose access without the second factor. In higher security environments this is enforced - if you lose the U2F device, then you can't log in. Obviously if the site lets you log in without the device then having the device doesn't actually matter. Lost device flow is a weakness, but typically they're more involved and require the attacker to have more details about the user than a simple phish attack would have access to. |
|
|