Quote:
Originally Posted by KlenTelaris
By riding on session. And here is how it works: let's say i have trojan on your PC, and i have access to your browser cookies. So, you login into system, using the 2FA device, and then i copy your cookie into my browser,and i get instant access. This works only as long cookie is valid, so if you click logout it wont work anymore, but if you leave browser without deleting cookie, it will be compromised.
|
Yeah, that's a whole new level of compromised. It'd be nice if they did what crypto exchanges do with Google Auth: every transaction you need to use your 2FA. Logging in 2FA simply isn't enough.