|
|
|
|
|
|
by stavros
1107 days ago
|
|
|
I don't understand what attack this is supposed to mitigate. The idea is that you're getting a number from the device you're trying to sign in to, and entering it on an already-verified device that can "vouch" for the other one. What good does it do to put the number in the URL rather than the body? Even if someone is trying to phish you, they'd just put the number in their URL instead. Is it just to make you look closer to the domain name? |
|
|