Git-Mirrors/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev.git synced 2025-05-02 06:16:19 -04:00
Code Issues Projects Releases Packages Wiki Activity

Badness Enumeration

Browse source
This commit is contained in:
Tommy 2022-07-27 09:37:53 -04:00 committed by tommytran732
parent 2c212f037f
commit cafb20949e
No known key found for this signature in database
GPG key ID: 060B29EB996BD9F2
29 changed files with 57 additions and 21 deletions
Download patch file Download diff file Expand all files Collapse all files

2
content/knowledge/Multi-factor Authentication.md
View file

@ -43,7 +43,7 @@ When logging into a website, all you need to do is to physically touch the secur
The service will then forward the one-time password to the Yubico OTP server for validation. A counter is incremented both on the key and Yubico's validation server. The OTP can only be used once, and when a successful authentication occurs, the counter is increased which prevents reuse of the OTP. Yubico provides a [detailed document](https://developers.yubico.com/OTP/OTPs_Explained.html) about the process.
![Yubico OTP](/yubico-otp.png)
![Yubico OTP](/images/yubico-otp.png)
The Yubico validation server is a cloud based service, and you're placing trust in Yubico that their server won't be used to bypass your MFA or profile you. The public ID associated with Yubico OTP is reused on every website and could be another avenue for third-parties to profile you. Like TOTP, Yubico OTP does not provide phishing resistance.