Mobile phone-based two-factor authentication (2FA) mechanisms are plagued by synchronization vulnerabilities that allow attackers intercept One-Time Passwords (OTPs) and bypass the security of many financial services, researchers say.
In their paper called “How Anywhere Computing Just Killed Your Phone-Based Two-Factor Authentication,” researchers Radhesh Krishnan Konoth, Victor van der Veen, and Herbert Bos demonstrate practical attacks against both Android and iOS devices, showing how a Man-in-the-Browser attack can be elevated to bypass 2FA.
Leave a reply
