undefined | Better HN

0 pointsunethical_ban2y ago0 comments

Well, push based 2fa with "select this number on your 2fa device" helps prevent some vectors. Simple totp doesn't do that.

"Never give your totp or one time code over the phone" is good advice.

"Never give info to someone who called you, call them back on the official number" is another.

This is user error at this point.

0 comments

AshamedCaptain2y ago

I disagree. Specially again that companies are centralizing on a couple 2FA companies (like Okta from TFA), this is just ripe for phishing. Okta itself is terrible at this; they don't consistently use the okta.com domain, so users are at a loss and have basically no protection against impersonators.

unethical_banOP2y ago

For okta, if it is set up properly, the user should get push notifications. And in that push notification is a number they need to select to validate the push.

This eliminates credential phishing and "notification exhaustion" where a user just clicks "ok" on an auth request by a bad actor.

As much as I advocate for non cloud services, what okta provides is very secure.

j / k navigate · click thread line to collapse