Quote:
Originally Posted by rowan
If you're logging in via the phish site, which then relays your username, password and a valid 2FA token to the registrar, they control your session.
|
Oh I see. Now I understand.
So if the domain site detects login from unusual IP location, that gets flagged and prompts domain site to force a second 2FA request and require a second verification via logging in through browser rather than email link. Is this what you are saying? I do think it addresses something which people should be strongly advised against doing anyway which is logging into their account via email link.
It needs work but its a good idea - I will also suggest this one.