nelsonjchen
commented
6 years ago Also, how does this experience, if there are no codes, work on iOS and Android? What if we exempted 2FA only during setup and then enforced it afterwards?
Open nelsonjchen opened 6 years ago
nelsonjchen
commented
6 years ago Also, how does this experience, if there are no codes, work on iOS and Android? What if we exempted 2FA only during setup and then enforced it afterwards?
nelsonjchen
commented
6 years ago I also got a lot of this from here:
nelsonjchen
commented
6 years ago nelsonjchen
commented
6 years ago It looks like it is possible. If you visit this link on a Gmail account, it's a very friendly wizard to get started to disable the codes. If you visit this link on a G Suite account, it'll punt the friendliness but it'll points to this page about setting up Advanced Protection for G Suite. I don't think the email scanning checkboxes mentioned there will work against that calendar phishing attack though but the "require security token" should be seriously effective.
https://myaccount.google.com/advanced-protection/enroll/details?pli=1
I think what's left is to see if these options can cause credsniper to totally fail.
Love your talk at Cactuscon. It's a great checklist to start off with. This is a follow-up issue to the question I asked.
As we discussed, the U2F method verifies the domain name before it hands over the unique code. Credsniper can't fake that part. It was a bit incredible to see the claim that this handles "all" 2FA but a quick investigation shows that this just punts those to the user-entered codes such as SMS/TOTP.
The question is:
Is it possible to setup a code-less Google or G Suite Account? No backup codes, no TOTP, no SMS.
Possible approaches/ingredients: