|
|
|
|
|
|
by KPGv2
607 days ago
|
|
|
> TOTP is trivially phishable . . . via social engineering Is it? I've been on the Internet since the 80s and haven't been phished a single time (despite being the recipient of many obvious attempts). Maybe I could be phished, but I think that's evidence it's not trivial. I have to wonder how many people sophisticated enough to use and pay for a password manager like Bitwarden could be "trivially" phished. |
|
|
The phishability of TOTP really is exactly as bad as that of passwords, except that a once-phished TOTP isn't reusable by the attacker(s), unlike a phished password.
But even one-time access is often catastrophic, especially if it allows the attacker to rotate credentials.