| ▲ | continuational 9 days ago | |
Easy to mitigate by only allowing the device that requested the 6-digit code to use the code. Edit: See first reply, this is not a mitigation at all! | ||
| ▲ | chii 9 days ago | parent [-] | |
but the device is under the control of BAD. They fake a signin on their backend to GOOD. Your computer never touches GOOD at all, except from seeing the email from GOOD (which you're told about by BAD, and lied to about being a partner signin thing). The problem being exploited by BAD is that your login account identifier (email in this case) is used in both GOOD (and BAD - accidentally or deliberately orchestrated), and 2-factor does not prevent this type of phishing. | ||