Instead of placing the numbers in the path, why not use a subdomain, e.g. 5678.example.com, and have that routed using a wildcard DNS record, then let users copy-paste the full ~~~domain name~~~ URL?
I don't understand what attack this is supposed to mitigate. The idea is that you're getting a number from the device you're trying to sign in to, and entering it on an already-verified device that can "vouch" for the other one.
What good does it do to put the number in the URL rather than the body? Even if someone is trying to phish you, they'd just put the number in their URL instead. Is it just to make you look closer to the domain name?
Interesting idea. However I do like the approach bankid did using qrcode [1] this does not however match a domain but matches a particular vendor that shows up after you've scanned it and asked to enter your security code. This way you can always verify the vendor is actually the website you are trying to log into.
That's a really good post, interesting read. This is similar in some ways but I don't see how their approach protects the user from more advanced attacks (an attacker could still swap the captcha).
Does not 2fa mean that user will not be redirected out until verification code is entered?
I think article needs more clarification.
Can you show where phishing atack is possible in the following scenario?:
1. Open login page
2. Enter credentials (step 1)
3. Enter verification code (step 2)
4. Authenticate, redirect.
If you enter google.com in your browser and login, unless you misspelled the domain and that didn't get flagged by anything, you'll be fine. If a relative that doesn't know much about tech gets a text/email asking them to login to their bank but the site linked is b4nk0f4m3r1c4.com, that phishing site could replay the entered credentials into the real site to login.
U2F would be a much superior replacement for any idea in which the user has to enter anything at all. It’s better to have the security hardware, such as a U2F key, authenticate the authenticator using cryptography, because that process cannot be man-in-the-middle’d.
I agree that U2F/webauthn/FIDO2 is superior (in terms of security and in most cases convenience) in basically every way. This is an alternative approach that is less secure than webauthn but a bit more secure than regular number matching or enter this code 2fa.