We replaced passwords with something worse
17 days ago
- #phishing
- #authentication
- #security
- Many services use a login method involving email/phone number and a 6-digit code.
- This method is bad for security as attackers can exploit it to steal accounts.
- Attackers can send your email to a legitimate service and request a 6-digit code.
- Users can't verify if the code is for the correct service.
- Password managers, which help against phishing, are ineffective here.
- This attack has been used successfully, e.g., with Microsoft's Minecraft accounts.