If fewer than 10 percent of Google account holders want to activate free 2FA on devices they already own, the chances of them purchasing $25 dongles are not promising. Even now, Google can barely convince any of its users to use code-based 2FA. However, convincing people to carry around yet another gadget constantly will most likely be an uphill struggle.
If Google employees can fall for a sufficiently sophisticated attack, what chance does the average congressman have? However, Google isn't concerned about phone-based 2FA letting down everyday users it's worried about savvy hackers trying to spear-phish politicians and other high-profile targets.īy using methods just like the one described, Google's internal security team was able to fool Google employees into giving up their credentials and 2FA codes. Savvy users, of course, realize that the situation described above is extremely inefficient, and would not work as a large-scale phishing attack. The attacker has now fully compromised an important account with some rudimentary HTML and careful timing. The user inputs his or her code into the fake site, and that's the end of that. In response, the attacker attempts to log in to the real website, which sends an SMS code to the original user. The user inputs his or her username and password. In his example, an attacker sets up a fake-but-convincing website, then directs a user to it. On Twitter, security researcher Shane Huntley pointed out that 2FA codes sent to phones are eminently phishable, and he is by no means the only one. After all, phones often have trouble receiving text messages in foreign countries, maintaining a battery charge for more than a day - or staying completely safe from cybercriminals. The Titan Key has only one purpose: providing ironclad 2FA security without relying on a phone or tablet. Other than that, the keys really seem to be as straightforward as Google describes them.
0 kommentar(er)
