Hacker News new | past | comments | ask | show | jobs | submit login

Wouldn't a phishing site be able to proxy the challenge and then record and proxy the response which the user types in? I.e. MITM the 2fa?



Yes, there is existing software to automate this, I presume that competent bad guys already use that.

However you can't do this to WebAuthn (or its non-standard predecessor U2F). The WebAuthn challenge is bound to a DNS name, by the client browser. So https://fake-bank.example/important/urgent/thing/ignore/the/... can't get credentials for real-bank.example even if the human is utterly convinced the fake site is their real bank, because you need to fool the web browser not just a human.

AFAIK zero banks use WebAuthn...


Depends what you want to achive. With wire transfers there's usually (always?) info about amount and last few digits of the account you're transfering money to on your 2FA provider.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: