
Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail - panarky
https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/
======
m-p-3
They're mostly exploiting an insecure side-channel, which are SMS. If you have
the option to avoid SMS as a 2FA towards a safer solution (TOTP, FIDO,
WebAuthn), please switch.

~~~
panarky
No, this is different. They're not exploiting insecure SMS.

2fa apps appear to be vulnerable, but FIDO keys are secure.

 _In theory, there’s little reason the technique shouldn’t work against Google
Authenticator and other 2fa apps that either transmit a one-time password or
ask people to click an approval button._

