|
|
|
|
|
|
by immibis
173 days ago
|
|
|
They must be paired with an alternative mechanism, unless you plan to unperson everyone who accidentally drops their phone in a river (this may be the plan for high-security services but it can't be the plan in general) and that mechanism can be phished. Session cookies can't be phished either, so why aren't those sufficient? |
|
|