> I previously thought that we were just having a difference of risk tolerance
If an attacker via a phone call is able to get the victim to (a) unlock their 1Password vault, (b) spell out their password for account X, what makes you think they couldn't get them to also (c) open their 2FA app and spell out their TOTP token? Given the context this discussion is about (someone with a 1Password vault, storing unique passwords and TOTP secrets for each account they have) do you see any scenario in which a user gets his password stolen but not the token (or the OTP secret seed altogether)? > if you think some rando can _phish_ a TOTP secret setting up an identical website to the real one) stealing a valid TOTP token is trivial and such campaigns have already been spotted in the wild
0 kommentar(er)
