Hacker News new | ask | show | jobs
by noisenotsignal 1159 days ago
That’s the trade off being made for convenience. It’s still somewhat multifactor though (I’ve seen people call it 1.5FA); authentication codes have the benefit of being resilient to replay. So, you’re not pwned even if someone steals your password somehow.

Even if someone steals your phone, you should have a passcode. If they know or guess your passcode, well… someone could steal your house/car keys too, and we still carry them around anyway :)
1 comments
bawolff 1158 days ago
If we are assuming that the password manager is on the same device used to login, a replay attack is bordering on rediculous.

In this scenario, you are assuming that the client is not compromised (since otherwise they would just steal it before you use it) the server is not compromised (otherwise what is the point), you do not have an active mitm (otherwise they could use the token directly instead of replaying).

All that really leaves is you have someone capable of passively eavesdropping a TLS connection (usually much harder to do than active mitm). I suppose someone literally looking over your shoulder or recording you with a hidden camera - but even then they just have to out-race you hitting submit.

Anyways. Not a realistic threat in my mind.

link
noisenotsignal 1158 days ago
Sorry, I meant replay really broadly because I could not come up with a better term in the moment. For example, a password can be leaked in many ways (guessed, by a breach if the website has poor password storage, etc) and be “replayed”, as in the attacker just enters the password themselves. A code does not have that problem because it is temporal.
link
bawolff 1158 days ago
Ah ok. Its confusing because one of the requirements for time based one time password 2fa is that if you use the same 2fa token twice,it is still supposed to reject the second one even if it is in the same time window.

On the server side usually a "key" is stored, which for TOTP based 2fa would allow the attacker to create future 2fa tokens if they got ahold of the key. So what really saves you is the website choses the key not the user, meaning every website has a different one. Not the temporal nature.

Anyways, usual term for what you are referring to with reusing passwords is "credential stuffing".

link