Bienvenido a Internet ■Volver al BBS■ Hilo completo ▼Bajar▼
■ Este hilo se encuentra guardado en el archivo

[Seguridad] La autenticación de dos factores es solo una excusa para pedir tu número de teléfono (6 respuestas)

1 : root@bienvenidoainternet.org:~# : 03/04/21(sab)21:19:54 ID:zkM/exN60

>Does SMS 2FA Prevent Phishing?
>The problem with using SMS-2FA to mitigate this problem is that there’s no reason to think that after entering their credentials, they would not also enter any OTP.
>SMS 2FA can be phished, and therefore is not a solution to phishing.

>Does SMS 2FA Prevent “Credential Stuffing”?
>Credential stuffing works because password reuse is astonishingly common. It’s important to emphasise that if you don’t reuse passwords, you are literally immune to credential stuffing. The argument for SMS-2FA is that credential stuffing can no longer be automated. If that were true, SMS-2FA would qualify as a solution to credential stuffing, as an attacker would need to use a new attack, such as phishing, to obtain the OTP.
>Unfortunately, it doesn’t work like that. When a service enables SMS-2FA, an attacker can simply move to a different service. This means that a new attack isn’t necessary, just a new service. The problem is not solved or even mitigated, the user is still compromised and the problem is simply shifted around.

>You don’t need SMS-2FA.
>You can use unique passwords, this makes you immune to credential stuffing and reduces the impact of phishing. If you use the password manager built in to modern browsers, it can effectively eliminate phishing as well.
>Even if you can’t use a password manager, it is totally acceptable to record your passwords in a paper notebook, spreadsheet, rolodex, or any other method you have available to record data. These are cheap, universally available and accessible.

>What if I install malware, can’t the malware steal my password database?
>Yes, but SMS-2FA (and even U2F) also don’t protect against malware. For that, the best solution we have is Application Whitelisting. Therefore, this is not a good reason to use SMS-2FA.

Artículo completo: https://blog.cmpxchg8b.com/2020/07/you-dont-need-sms-2fa.html (nota: alojado en blogspot)

2 : root@bienvenidoainternet.org:~# : 03/04/21(sab)21:27:46 ID:vSJWRhzf0

Pienso que solo basta usar contraseñas fuertes. Con eso me refiero a usar una frase entera en la contraseña en lugar de una o dos palabras + números como es costumbre para la mayoría. Eso le daría mucha más entropía que la contraseña promedio.

3 : root@bienvenidoainternet.org:~# : 03/04/21(sab)21:49:52 ID:99hayh/80

Un recordatorio de que todos los números de los que tienen doble autenticación activada en Discord pronto pasarán a manos de Microsoft.

4 : : 03/04/21(sab)22:20:22 ID:5wCdMlDuQ

¿Estás asumiendo que tengo número de teléfono celular?

5 : : 03/04/21(sab)23:41:13 ID:94GMVHP70

Aprovechemos que en el tercer mundo aún no hay una ley que exija identificación para poder comprar una tarjeta SIM.

6 : : 04/04/21(dom)20:04:12 ID:QOKMdauC0

Tengo familiares que odian el 2FA obligatorio de mierdas como google pero no se esfuerzan en hacer el cambio a plataformas alternativas a pesar de que les digo cómo hacerlo.
3 KB
■ Este hilo se encuentra guardado en el archivo
■Volver al BBS■ Hilo completo ▲Subir▲
weabot.py ver 0.10.9 Bienvenido a Internet BBS/IB