undefined | Better HN

Better HN

Top Best Ask Show New Jobs

0 pointsxfitm37y ago0 comments

Doesn't that defeat the purpose of MFA?

0 pointsxfitm37y ago0 comments

Doesn't that defeat the purpose of MFA?

0 comments

5 comments · 2 top-level

chii7y ago· 3 in thread

If they already have your phone, you're already pwned.

mschuster917y ago

>If they already have your phone, you're already pwned.

No, that's not what GP means. If the attacker manages to get malware on the Mac, for example by exploiting a browser 0day, then the attacker can simply circumvent the 2FA by making the Mac fetch the 2FA code. The user won't notice it.

gruez7y ago

If the attacker manages to get malware on the mac, they can also wait for you to do a login, and steal your 2fa code as you enter it.

1 more reply

cortesoft7y ago

Same could be said of the phone, right? A zero day on the phone would circumvent the 2FA.

Really, the SMS part is the actual weak link in the chain. Easier to hijack SMS than own a computer or phone.

1 more reply

cortesoft7y ago

No... the computer is a second factor just as much as a phone. Something you know (password) + something you have (computer) = MFA

j / k navigate · click thread line to collapse

0 comments

5 comments · 2 top-level

chii7y ago· 3 in thread

If they already have your phone, you're already pwned.

mschuster917y ago

>If they already have your phone, you're already pwned.

gruez7y ago

If the attacker manages to get malware on the mac, they can also wait for you to do a login, and steal your 2fa code as you enter it.

1 more reply

cortesoft7y ago

Same could be said of the phone, right? A zero day on the phone would circumvent the 2FA.

Really, the SMS part is the actual weak link in the chain. Easier to hijack SMS than own a computer or phone.

1 more reply

cortesoft7y ago

No... the computer is a second factor just as much as a phone. Something you know (password) + something you have (computer) = MFA

j / k navigate · click thread line to collapse