Royce Williams on Nostr: When on desktop, Google prompts you to re-verify MFA for escalated privs. It prompts ...
When on desktop, Google prompts you to re-verify MFA for escalated privs. It prompts for your passkey/security key, and also sends a prompt to your phone.
But the phone prompt apparently has no way to "get the word" that the prompt was answered on the desktop. So the stale prompt just sits there indefinitely, with only "no this isn't me" or "yes this is me" as the options.
I say "stale" because you can pick your phone an hour later and that prompt is still there, full screen - so you can't be sure when it arrived, and there's no indicator of what service is prompting you, geo location or ISP of the prompt, etc. (so it's unwise to his "yes this is me"). But you also don't want to hit "no this isn't me", in case it was your legit login from an hour ago.
#mfa
Published at
2024-03-21 17:05:04Event JSON
{
"id": "218c2e050b3cc8b9c03e0ebc91c44646e81e3adf61f77f9361d5a57226029cf8",
"pubkey": "fd78ea493e466e5403543ba50475e8acc79157ea3bab423b53f780a89c92423e",
"created_at": 1711040704,
"kind": 1,
"tags": [
[
"t",
"mfa"
],
[
"proxy",
"https://infosec.exchange/users/tychotithonus/statuses/112134763630342124",
"activitypub"
]
],
"content": "When on desktop, Google prompts you to re-verify MFA for escalated privs. It prompts for your passkey/security key, and also sends a prompt to your phone.\n\nBut the phone prompt apparently has no way to \"get the word\" that the prompt was answered on the desktop. So the stale prompt just sits there indefinitely, with only \"no this isn't me\" or \"yes this is me\" as the options. \n\nI say \"stale\" because you can pick your phone an hour later and that prompt is still there, full screen - so you can't be sure when it arrived, and there's no indicator of what service is prompting you, geo location or ISP of the prompt, etc. (so it's unwise to his \"yes this is me\"). But you also don't want to hit \"no this isn't me\", in case it was your legit login from an hour ago.\n\n#mfa",
"sig": "c7efabce8f5ef75d1e55c4f17bf8bffe700ca65ec273649d935d5e3dbac94c53f040ebf8609b0874b72abb243974d25fe86342aa4f0b3f8e76b88503f7ca813d"
}