Push notification two-factor auth considered harmful

Created on 2022-09-17T09:07:06-05:00

Return to the Index

This card pertains to a resource available on the internet.

This card can also be read via Gemini.

Uber service hacked by attacker spamming login requests while the IT staff was trying to sleep. Phone continously prompted to confirm a login and they denied it.

Websites should use WebAuthn to allow integration with hardware keys as an alternative to push notifications.

Quinn: so according to [this page] push login prompt should have a "fuck off my account is being hijacked" button :blobcatlul: