alt Hacker NewsProper Microsoft authenticator setup is more secure than OTP because it's pushed based and doesn't allow users to copy paste their OTP codes into phishing sites. Google also prefer push based MFA for this reason.
Proper Microsoft authenticator setup is more secure than OTP because it's pushed based and doesn't allow users to copy paste their OTP codes into phishing sites. Google also prefer push based MFA for this reason.
Push based, sure. Allowing SMS, I still hold, undermines all of this.
They "secure" this behind password which you entered to trigger the SMS push in the first place.
Offering an "out" to a more secure flow means your secure flow may as well not exist.
Additionally, phishing a pushed OTP is not really much harder since you can trigger the push and then just have the user finish off the flow for you, provided they don't read the IP or whatever you display them (they won't, they think they're signing in), effectively the same as a TOTP.