Collaborate Disseminate
I know that when enabling 2FA all sessions must expire.
But how about disabling 2FA? Should all sessions expire then?
I know that disabling 2FA is a risk, but that’s not the question. I’m wondering only about all active sessions – do they … Continue reading Should all sessions expire after disabling 2FA?
I’m trying to avoid Google device notification-based 2-factor auth ("push MFA"), which Google keeps enabling if I log into Google websites in a browser on an Android device (even if the device has no Google account at the OS leve… Continue reading Which Android browser can I use so that Google will not force push-MFA? [closed]
My bank’s online services, as a second factor, use a "memorable phrase". Upon login, I am prompted to enter three characters from that phrase, at specified indexes – say, 3rd, 7th, 10th character. Login is denied if this does not… Continue reading Securely storing a password for matching against its substrings
My bank’s online services, as a second factor, use a "memorable phrase". Upon login, I am prompted to enter three characters from that phrase, at specified indexes – say, 3rd, 7th, 10th character. Login is denied if this does not… Continue reading Securely storing a password for matching against its substrings
I’ve noticed that some websites implementing SMS-based MFA display a "reference code" on the website during login or transaction confirmation, and this code is also included in the SMS containing the OTP.
The user is instructed t… Continue reading Why does SMS-based MFA sometimes include a ref. code to match on the website + SMS?
I’ve noticed that many services don’t specify the purpose behind verification codes. For example when signing up to a service, we often want/need to verify that the email address or phone number is indeed ours. We might also need to verify… Continue reading Is it bad practice to state the purpose of a verification code?
GitHub recently reminded me to save backup codes to avoid losing access to my account. I wrote down my codes a few years ago and haven’t taken further action since. However, I’m now wondering: do backup codes ever expire? Should I occasion… Continue reading Can I rely on my backup codes to remain valid indefinitely?
I’ve enabled 2FA on my website. During tests, I’ve noticed that users can use the 2FA codes multiple times. How can I ensure that each code can only be used once?
Continue reading How to prevent 2FA codes from being used multiple times?
Currently I am working on implementing/supporting WebAuthN in my service (JAVA). I have a Control Plane which handles the registration ceremony and Data Plane that handles the authentication ceremony. I am using WebAuthN4J. The persistent … Continue reading Is clientDataJson and attestationObject required to verify assertion during authentication in WebAuthN?
How can I bypass Gmail 2FA by using metasploit payload? The problem is not to dump the sms, the problem is that they send pair of numbers to click on from device that have login Gmail in that. Like click on "83" from your phone.
… Continue reading Bypass Gmail MFA using metasploit [closed]