Hacker News new | past | comments | ask | show | jobs | submit login

Reduction of chance for a successful phishing attack. Is it possible for a hacker to get both the password and the TOTP? Sure, but the timing of that is a 30-second window, in which the hacker needs to be extremely sophisticated in order to successfully compromise your account.



This is not at all true, and we’ve dealt with unsophisticated but successful ATO attacks on TOTP all year. TOTP does not defend ordinary users against phishing.


> TOTP does not defend ordinary users against phishing

I never said it ultimately defends ordinary users, just that it reduces the chances because it requires a more sophisticated attack.


You said attackers need to be "extremely sophisticated" to pull it off, and I've spent a year seeing nitwits – clumsy and trivially detected nitwits – do it without much trouble. You were wrong, and wrong in a way that's important to correct so people know that it's wrong.


And I've seen the opposite, what's your point? How do you qualify "clumsy and trivially detected nitwits"?

PS - Telling people they are "wrong" isn't convincing, and is downright condescending. Thanks for that.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: