|
|
|
|
|
|
by DaveMebs
4691 days ago
|
|
|
And if you see multiple requests on your phone, you know it's an attack and you should reject both. The criticism is basically "someone might see a bunch of requests and, not knowing which is theirs, approve them all." If someone is that foolish, you're already in trouble. |
|
|
For me, it is more about asking yourself what approach will increase the overall security of a system. User adoption is a critical consideration. That is where Twitter's approach shines. It's something that is super easy to adopt, no numbers to type in, which means literally millions more users may adopt it. Authy is undervaluing that consideration.
Yes, this is vulnerable to a) foolish users who approve duplicate requests and b) have an attacker looking over their shoulder.
Pretty good tradeoff IMHO.