this post was submitted on 10 Oct 2023
32 points (94.4% liked)

Privacy

31890 readers
540 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
 

In a few weeks I'll do a workshop about security for people who are tech illiterate, I plan to teach about password managers and 2FA.

If I show the 2FA number codes, like the 123 456 ones that I have to paste when required, can that be a possible security breach for me? or is it save since is gonna change in a few seconds anyway?

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 12 points 1 year ago* (last edited 1 year ago)

It's good to keep in mind that while it does improve the overall security of the account, a 2FA/TOTP code can still be phished, so if the user encounters a fake login page and supply his password and 2FA code, it could let an attacker pass the intercepted credentials to the real login page in the background and gain access. Most websites using TOTP will not allow reusing a code more than once in the same time slot, but that's a moot point if the 2FA code is intercepted without being entered on the legitimate website, but in your case of making a demonstration that would not be a security concern.

It's important for the user to ensure they're accessing the legitimate website before typing any credentials and 2FA code.

A safer option nowadays is FIDO2/Passkeys, which will not provide a valid 2FA challenge-response in the case of a spoofed/phishing website, further reducing the possibility of a breach.