Quote:
Originally Posted by rowan
1) First 2FA value is captured by phish site, and passed through. At this point if login was to succeed they would have control of your account.
|
Yes but if for example, If I login to Namecheap and provide my 2FA - that password is valid only the moment I use it because 2FA is in effect an OTP (one time password).
Since I am using it as soon as I am receiving it, the 2FA is of no use to the phisher who has no way to obtain a new one because he doesn't own my phone. I think technically its possible but difficult for a phish site to use a 2FA.