Remix.run Logo
kazinator 9 days ago

I believe (and the article should make it clear) that the article is criticizing specifically the use of the code that user must enter into a box, which invites man-in-the-middle attacks.

The article is not advocating against e-mail-driven URL-based password reset/login, whereby the user doesn't enter any code, but must follow a URL.

The six digit code can be typed into a phony box put up by a malicious web site or application, which has inserted itself between the user and the legitimate site.

The malicious site presents phony UI promoting the user to initiate a coded login. Behind the scenes, the malicious site does that by contacting the genuine site, and provoking a coded login. The user goes to their inbox and copies the code to the malicious site's UI. The site then uses it to obtain a session with the genuine site, taking over the user's account.

A SSL protected URL cannot be so easily intercepted. The user clicks on it and it goes to the domain of the genuine site.