Two-Factor Authentication (2FA) Broken by New & Simple Attack

Discussion in 'other security issues & news' started by Minimalist, Apr 9, 2016.

  1. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    6,781
  2. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    59,867
    Location:
    Texas
  3. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,225
    Location:
    The Netherlands
    OK, so what is the best alternative? I must admit that I have never been a fan of 2FA via SMS. And I'm also sick and tired of hardware tokens that are often used by banks and brokers. I would rather have them identify me via the device, for example the PC or smartphone.
     
  4. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,385
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,385
  6. Victek

    Victek Registered Member

    Joined:
    Nov 30, 2007
    Posts:
    5,444
    Location:
    USA
    Apps such as Google Authenticator, Duo Mobile and LastPass Authenticator are freely available, so it's not clear why we're still using SMS. That said using SMS for 2FA is still far more secure than not using 2FA.

    Also the "simple" hack referred to in the Softpedia article requires that the hackers have full access to the user's PC; that's not typical.
     
    Last edited: Jul 11, 2017
  7. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,654
    Server cookies? Sounds spoofable, and easier to hack.
     
  8. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    9,225
    Location:
    The Netherlands
  9. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,654
    I meant some sort of "cookies" that servers use so that they can remember your device. I thought that's what you meant by "identify me via the device".
     
Loading...