Hacker News new | ask | show | jobs
by e12e 4672 days ago
It's two-factor authentication not two-factor authorization.

I'd also think that authentication was (should be) a server-side thing: and that at that point you'd get some form of session/token/ticket.
1 comments
gcr 4672 days ago
It already is a server-side thing.

This post shows how to steal that session/token/ticket after the authentication step.

What are you proposing?

link
tlrobinson 4672 days ago
In that case this is no worse than stealing a cookie for a site which required 2FA, which presumably requires local access.
link