In a few weeks I’ll do a workshop about security for people who are tech illiterate, I plan to teach about password managers and 2FA.
If I show the 2FA number codes, like the 123 456 ones that I have to paste when required, can that be a possible security breach for me? or is it save since is gonna change in a few seconds anyway?
You must log in or register to comment.
A place to discuss privacy and freedom in the digital world.
Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.
In this community everyone is welcome to post links and discuss topics related to privacy.
Some Rules
- Posting a link to a website containing tracking isn’t great, if contents of the website are behind a paywall maybe copy them into the post
- Don’t promote proprietary software
- Try to keep things on topic
- If you have a question, please try searching for previous discussions, maybe it has already been answered
- Reposts are fine, but should have at least a couple of weeks in between so that the post can reach a new audience
- Be nice :)
Related communities
Chat rooms
-
[Matrix/Element]Dead
much thanks to @gary_host_laptop for the logo design :)
- 0 users online
- 57 users / day
- 383 users / week
- 1.5K users / month
- 5.7K users / 6 months
- 1 subscriber
- 2.44K Posts
- 57.5K Comments
- Modlog
It’s good to keep in mind that while it does improve the overall security of the account, a 2FA/TOTP code can still be phished, so if the user encounters a fake login page and supply his password and 2FA code, it could let an attacker pass the intercepted credentials to the real login page in the background and gain access. Most websites using TOTP will not allow reusing a code more than once in the same time slot, but that’s a moot point if the 2FA code is intercepted without being entered on the legitimate website, but in your case of making a demonstration that would not be a security concern.
It’s important for the user to ensure they’re accessing the legitimate website before typing any credentials and 2FA code.
A safer option nowadays is FIDO2/Passkeys, which will not provide a valid 2FA challenge-response in the case of a spoofed/phishing website, further reducing the possibility of a breach.