Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

If the compromise of the machine could be turned into a permanent compromise) with the ability to manipulate the UI (which seems likely on mainstream Desktop OSs, you could use that to intercept the 2FA token on the next login, and use it to turn off 2FA.

The only way to prevent that would be making the token purpose bound, and displaying that purpose on the trusted 2FA device.



Or by using a U2F device, which is designed to prevent spoofing.


U2F doesn't protect you from an untrusted machine, it protects you from untrusted websites.

https://security.stackexchange.com/questions/157756/mitm-att...

The security model relies on the browser validating the origin.


I don't think there is a way around "displaying that purpose on the trusted 2FA device." if you want to protect against a compromised computer.

Domain binding protects you from fishing, but still relies on the user's computer, including the browser, being secure. So it doesn't help here.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: