|
|
|
|
|
|
by medevacs
1372 days ago
|
|
|
I'm under the impression you misread the original blog post, which by the way does not really do a very good job in terms of explaining how this should be implemented. IMHO, the idea is not to display the info about wrong 2FA code on the login page but to use a separate channel to inform the account owner about this recent, failed login attempt. So, no info on the login page of the website (adversary would still not know that they have a good password but wrong 2FA) but e.g. an email, a text message, a push notification, etc. with this info. I would certainly like to know that someone, somewhere is trying to login to my account and that this adversary is in possession of my actual password. |
|
|