| ▲ | apt-apt-apt-apt 9 days ago | |||||||
Would it be a viable and simple solution to only enter 6-digit codes into the specific website that requested it? Isn't this the same thing as BAD asking, let us know the code i.e. password that GOOD gave you? Why would one be inclined to give BAD (i.e. someone else) this info? | ||||||||
| ▲ | FabHK 9 days ago | parent | next [-] | |||||||
If you're phished, you're probably not checking the domain too carefully anyway. You get an email, providing you with a phishing link for miсrosoft.com (where the apparent c is actually the cyrillic "s", so BAD). In the background, they initiate a login to microsoft.com (GOOD), who then send you a 6 digit code from the actual microsoft.com. If you were fooled by the original phishing website, you have no reason to doubt the code or not enter it. | ||||||||
| ▲ | kylehigginson 9 days ago | parent | prev [-] | |||||||
This came to my mind too. But by using a password manager it will be able to differentiate between the GOOD and BAD site. So I think the point is valid only if the user is not using a password manager. | ||||||||
| ||||||||