undefined | Better HN

Skip to content

Top New Best Ask Show Jobs

0 pointsstaticassertion2mo ago0 comments

I'm confused. All an attacker has to do is phish you to get your password and TOTP.

TOTP would cover cases like a compromised password manager or a reused password. That's it, right?

0 comments

3 comments · 1 top-level

erikerikson2mo ago· 2 in thread

My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.

Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.

To answer your question, no and I provided details. It literally provides a second, non portable factor with a different vulnerability surface.

staticassertionOP2mo ago

> My password manager, as is standard for most of them, will not fill or show a password if the URL bring visited doesn't match the credential. Thus, a credential not showing is a huge red flag. The workflow is pretty standardized so any deviation is a big red flag.

I agree.

> Maybe you can be more specific about the attack flow you are imagining and how it will work technically to bypass my controls.

Can you be more specific about the attack that your password manager doesn't solve that your TOTP does? The attack I'm suggesting is already solved by your password manager.

erikerikson2mo ago

I've believe I've already written that but it is that my password manager gets compromised. It is not perfectly secure and has failure points. Given that it is separate from the second factor a successful attack against the password manager still leaves an attacker unable to login without a separate compromise of my TOTP code. Of course that can also be compromised but two compromises is strictly more difficult than one.

j / k navigate · click thread line to collapse