▲ | kazinator 9 days ago | |
I believe (and the article should make it clear) that the article is criticizing specifically the use of the code that user must enter into a box, which invites man-in-the-middle attacks. The article is not advocating against e-mail-driven URL-based password reset/login, whereby the user doesn't enter any code, but must follow a URL. The six digit code can be typed into a phony box put up by a malicious web site or application, which has inserted itself between the user and the legitimate site. The malicious site presents phony UI promoting the user to initiate a coded login. Behind the scenes, the malicious site does that by contacting the genuine site, and provoking a coded login. The user goes to their inbox and copies the code to the malicious site's UI. The site then uses it to obtain a session with the genuine site, taking over the user's account. A SSL protected URL cannot be so easily intercepted. The user clicks on it and it goes to the domain of the genuine site. |