Attacker wins- Shane Huntley July 22, 2018
Attacker sees code is required then returns page asking for code to userĥ. Attacker attempts to log in immediately and SMS code sent to userģ.
User enters password into attackers siteĢ. Basically, the attacker could send the victim a bogus request for the PIN.ġ. In a Twitter thread, Shane Huntley, director of Google's Threat Analysis Group, explained how someone could still phish a victim through text messages, even with two-factor authentication. Google found that a targeted attack would be able to trick people into giving up that PIN code, too. It helps, but it's not foolproof, Srinivas said. One of the most popular forms of two-factor authentication is to have the service send a PIN via text message to your phone, which you then type in. They might believe their passwords are already strong enough.Īll of these are obstacles Google will have to get around to get more people using security keys. They already have two-factor authentication set up with their phones. There are plenty of reasons why people might not be interested in security keys. Google is aware of the lack of interest in multifactor authentication, and it's hoping the Titan key can change that. In January, a Google engineer said that less than 10 percent of Gmail users have two-factor authentication enabled on their accounts. "We're thinking that hopefully at some point in time, these keys can be in the sub-$10 range."īut before prices can drop, Google is going to have to convince people they actually need a security key. "We're not quite happy where these devices are out of reach for customers who can't afford it," Brand said. The hope is now that Google is creating and selling its own security key, it can bring the price down if the device gets popular enough, which is the company's goal. Watch this: Google is releasing its own 'Titan' security key to prevent phishing
0 kommentar(er)
