Re: Three steps we could take to make supply chain attacks a bit harder

Sun, 31 Mar 2024 18:10:51 -0700 

Am 31.03.24 um 21:19 schrieb Simon de Vlieger:

I don't quite agree with you. Two factor authentication whether an actual second
factor device or not does prevent credential stuffing which is a common attack
method that is easy to perform. It is when people take databases of previously 
leaked
passwords and try them on other accounts that belong to the same person. Since 
two
factors are generally unique per login situation they can't be stuffed in the 
same way.

Of course there are many things two factor does not protect against.



2FA in a lot of cases is just access to a different account (e.g. email
or even SMS) and these normally aren't unique. Sure, there are other
ways like FIDO2, but these are not necessarily used (or liked, quite
frankly I know a lot of people who would loose them on a monthly basis,
but still are quite smart about other stuff).

This can also lead to a pretty interesting "circle" of 2FA where for
example email a is the 2FA address for email b and email b is the 2FA
address for email a. If it's the only option it can also lead to a
chicken and egg problem for young people who want to create e.g. their
first email account. But this paragraph is besides the point.

So, sure, 2FA would prevent people from just trying out leaked
passwords. But an attack like this would not be a "spray and pray"
attack, but it would be a targeted one. This means that the acceptable
effort from the attacker would be quite a bit higher.

2FA would prevent script kiddies and "spray and pray"-style attacks from
being successful. But more? Doubtful.


Regards

Kilian Hanich
--
_______________________________________________
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to