undefined | Better HN

0 pointsixs4y ago0 comments

It does not. There are myriad ways of extracting the TOTP seed from these apps... Or you just reverse engineer the setup/confirmation process and then you can generate/trigger your own tokens from your automation workflow.

2FA is a good security feature but it does not help against web scraping. Credential stuffing and other 3rd party attacks? Yes, it _can_ help. But it does not always help. There's a phishing group that has seemingly specialised on getting people to click the green confirm button in their Duo app... ¯\_(ツ)_/¯

Check https://github.com/revalo/duo-bypass for a python script that can be used to automate Duo tokens... Has some code from me. There are similar scripts for all the other well known OTP Apps...

0 comments

Gigachad4y ago

Having malware installed on every users phone is so many orders of magnitude harder than downloading the latest db dump and testing the email/password on every other site.

At the bare minimum, TFA stops most attacks. That's a whole lot better than the current situation.

1cvmask4y ago

There are different methods of 2FA like scanning encrypted barcodes that show that you require intent.

It seems that the Duo core app is a variant of HOTP?

What's the name of the phishing group and any details on them? There was a Defcon or Black Hat video where they would constantly send a push approval to the mobile which was not PIN protected and most people would click on it. Don't remember which OTP generator it was.

j / k navigate · click thread line to collapse