In a few weeks I’ll do a workshop about security for people who are tech illiterate, I plan to teach about password managers and 2FA.

If I show the 2FA number codes, like the 123 456 ones that I have to paste when required, can that be a possible security breach for me? or is it save since is gonna change in a few seconds anyway?

  • m-p{3}A
    link
    fedilink
    English
    arrow-up
    12
    ·
    edit-2
    1 year ago

    It’s good to keep in mind that while it does improve the overall security of the account, a 2FA/TOTP code can still be phished, so if the user encounters a fake login page and supply his password and 2FA code, it could let an attacker pass the intercepted credentials to the real login page in the background and gain access. Most websites using TOTP will not allow reusing a code more than once in the same time slot, but that’s a moot point if the 2FA code is intercepted without being entered on the legitimate website, but in your case of making a demonstration that would not be a security concern.

    It’s important for the user to ensure they’re accessing the legitimate website before typing any credentials and 2FA code.

    A safer option nowadays is FIDO2/Passkeys, which will not provide a valid 2FA challenge-response in the case of a spoofed/phishing website, further reducing the possibility of a breach.