• dan@upvote.au
    link
    fedilink
    arrow-up
    1
    ·
    2 months ago

    MFA doesn’t really help much in the case of a tech illiterate person though, since TOTP codes can be phished just like username and password can. A scammer that calls them will just ask for the code in addition to the username and password.

    My employer uses Yubikeys with FIDO2/WebAuthn for two factor auth, but that’s probably too complex for a non technical person to figure out (even if it’s basically just “press the button when it tells you to”).

    • yetAnotherUser@discuss.tchncs.de
      link
      fedilink
      arrow-up
      2
      ·
      2 months ago

      Well, TOTP prevents at least these attack vectors, even for tech-illiterate people:

      • Unnoticed data base leaks being used to gain full access to people’s accounts
      • Credential stuffing (using another service’s leaked credentials to gain access)

      With TOTP there must be at least some contact between the “hacker” and the victim.