Revisit and see if it's possible to setup a code-less Google or G Suite Account #24
Comments
|
Also, how does this experience, if there are no codes, work on iOS and Android? What if we exempted 2FA only during setup and then enforced it afterwards? |
|
I also got a lot of this from here: |
|
It looks like it is possible. If you visit this link on a Gmail account, it's a very friendly wizard to get started to disable the codes. If you visit this link on a G Suite account, it'll punt the friendliness but it'll points to this page about setting up Advanced Protection for G Suite. I don't think the email scanning checkboxes mentioned there will work against that calendar phishing attack though but the "require security token" should be seriously effective. https://myaccount.google.com/advanced-protection/enroll/details?pli=1 I think what's left is to see if these options can cause credsniper to totally fail. |
Love your talk at Cactuscon. It's a great checklist to start off with. This is a follow-up issue to the question I asked.
As we discussed, the U2F method verifies the domain name before it hands over the unique code. Credsniper can't fake that part. It was a bit incredible to see the claim that this handles "all" 2FA but a quick investigation shows that this just punts those to the user-entered codes such as SMS/TOTP.
The question is:
Is it possible to setup a code-less Google or G Suite Account? No backup codes, no TOTP, no SMS.
Possible approaches/ingredients:
The text was updated successfully, but these errors were encountered: