Love your talk at Cactuscon. It's a great checklist to start off with. This is a follow-up issue to the question I asked.
As we discussed, the U2F method verifies the domain name before it hands over the unique code. Credsniper can't fake that part. It was a bit incredible to see the claim that this handles "all" 2FA but a quick investigation shows that this just punts those to the user-entered codes such as SMS/TOTP.
The question is:
Is it possible to setup a code-less Google or G Suite Account? No backup codes, no TOTP, no SMS.
Possible approaches/ingredients:
- Two U2F keys - I heard this is what they do internally at Google.
- Forcing U2F only validation on the G Suite Domain. Does this disable SMS/Backup Codes/TOTP?
Love your talk at Cactuscon. It's a great checklist to start off with. This is a follow-up issue to the question I asked.
As we discussed, the U2F method verifies the domain name before it hands over the unique code. Credsniper can't fake that part. It was a bit incredible to see the claim that this handles "all" 2FA but a quick investigation shows that this just punts those to the user-entered codes such as SMS/TOTP.
The question is:
Is it possible to setup a code-less Google or G Suite Account? No backup codes, no TOTP, no SMS.
Possible approaches/ingredients: