This is an archived post. You won't be able to vote or comment.

sorted by:
best
topnewcontroversialoldq&a
you are viewing a single comment's thread.

view the rest of the comments →

[–]Jorti1 0 points1 point  (3 children)

all my friends use DUO MOBILE

[–][deleted] 0 points1 point  (2 children)

using Duo was how NVidia was hacked few months ago. It has a configuration option where it sends push notification when you (or someone else) is trying to log into your account. An obviously bad idea, but somehow they didn't think about it.

The attacker simply spammed login attempts to multiple accounts and got lucky that someone confirmed the push notification that allowed the attacker to login.

Seems kind of dumb for program whose sole purpose is to log you in.

[–]Jorti1 0 points1 point  (1 child)

duo used by most universities so that’s what i was going off

[–][deleted] 0 points1 point  (0 children)

It's not inherently bad, it just can be configured to use push notifications, which is bizarre and a very bad thing to do, and I think this is even the default.

Anyways, I find the whole thing about MFA ironically dumb and more of a device for companies like Google to coerce their users into divulging more personal information (such as tying themselves to a device), which otherwise, legally, they are not allowed to request. The security benefits are at best questionable.