| ▲ | LoganDark 9 days ago | |||||||
TOTP is vulnerable to the same attack, though. If you are fooled into providing the code, it doesn't matter whether it's a fresh one to your email or a fresh one from your authenticator. | ||||||||
| ▲ | eddythompson80 9 days ago | parent | next [-] | |||||||
They are, which is one major issue with TOTP and most current MFA methods. There is an implicit assumption that you only get the full benefit if your usi g a password manager. 1. A password manager shouldn't be vulnerable to putting your password in a phishing site. 2. If your password is leaked, an attacker can't use it without the TOTP. Someone who doesn't use a password manager won't get the benefits of #1, so they can be phished even with a TOTP. But they will get the benefits of #2 (a leaked password isn't enough) Passkeys assume/require the use of a password manager (called a "passkey provider") | ||||||||
| ||||||||
| ▲ | anonymars 9 days ago | parent | prev [-] | |||||||
Sure, but you would have needed to input a password first, which autofill wouldn't have put into a spoofed site | ||||||||