Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

No - because the phishing page can act as a MITM attack - where they display the 2-factor login on the phishing page - and post the entered code to Google, confirm they are in (and receive the cookie enabling access) - while displaying the page back to you.

So 2-factor actually provides a false sense of security here.

Edit: unless you have U2F as per @makomk comment below



Unless the second factor is U2F, because the actual domain is handed to the U2F dongle by the browser and the authentication is tied to that.


Thanks - good point :)

But for the Google Authenticator and SMS - it would still be vulnerable.


What about getting a text message in your phone, a call, or the google mobile app? Will it be effective against this kind of attack?




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: