Quote:
Originally Posted by Vendot
However, that's also another reason why you should consider TFA (Two Factor Authentication). The idea of TFA is to incorporate (a) something you know ie a password with (b) something you have ie a mobile phone or token or something else. Therefore someone with your username and password alone is not going to get into your account.
|
2FA is a good extra defence (I have it enabled at Namesilo), but it's not infallible. If the phish site acts as a man-in-the-middle proxy, relaying everything between you and the real site, then when you enter your user/password/2FA through the phish site, they are now logged in as you, and will remain logged in until the registrar site decides on another 2FA challenge. The only way I can think to defeat this would be IP-based restrictions, with the registrar requiring further authentication action if you attempt to log in from a previously unseen IP.