Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Password/TOTP does not protect you against phishing. The phishing site can forward the password and TOTP you type into the real system, gaining your access.

FIDO/WebAuthn/Passkeys protect you against phishing, because of the origin binding mentioned in the article. On the phishing site, the required credential cannot be generated, and so no matter how convincing it is you can't accidentally give them a credential to forward.

Phishing is what these systems were trying to defend against.

Now if you were to say that the move from plain FIDO tied to a hardware key to passkeys tied to a Google account was a lock-in ploy ---- then I might be more inclined to agree.



Considering there's an entire portion of the software industry built on accepting a user's credentials and also prompting them for their TOTP, I don't think this really matters.

It's not an acceptable trade-off. And the answer isn't, "Those third-parties shouldn't be asking for your password and TOTP," because that's not a realistic premise.


> The phishing site can forward the password and TOTP you type into the real system, gaining your access.

To me this seems harder to pull off than a fraudulent password reset (either via social engineering, or a hacked email account). My TOTP fell in the drink a few years back, and some accounts very hard to reset and others were too easy.


If you're targeting a particular person, social engineering is probably easier. If you just want to illicitly harvest some accounts, and aren't too worried about which ones, blasting out emails linking to hacked websites that fake the login & TOTP flow is very easy.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: