I was thinking for a while now about 2FA. I'm not a security expert, I'm a developer, and usually - if I use these codes, I rely on existing implementation. So my knowledge is limited, but I do understand the concept of how these codes are generated. It's based on time, right? Even if your phone is offline, it'll continue generating codes based on your phone time.
Suppose (theoretically) I got access to a phone of a friend for 3-4 minutes, but I wouldn't want to be too obvious about it, and login directly in front of them. Can I change the phone time 1 hour forward, remember 1-2-3 codes with corresponding times, and then try to login to their account in a hour with the codes that I remember? Of course, this hinges on the fact that I do have physical access to the device, and know the password - so basically I already got through 90% of the hurdles, but I just wonder if these 2FA codes are "predictable" in a sense of changing the device time into the future?
[link] [comments]
from hacking: security in practice https://ift.tt/IiBYf9u
Comments
Post a Comment