|
|
|
|
|
|
by yonran
4250 days ago
|
|
|
The author is correct to attack Google’s authentication protocol, but the password reset procedure is the gaping security hole. The author is focusing on the distinction between “hard” tokens vs ”soft” tokens from NIST 800-63 Level 4. But in the Grant Blakeman case, the first factor (password) was never compromised. It was the Google password reset procedure that sidestepped all the security of the two factors. All you need is to answer easy trivia questions and to text a code to a phone number in order to take over a gmail account. |
|
|