I honestly did not give much thought to the difficulty of pulling such attack off. With “not sophisticated” I just meant that it’s not complex to grasp. “You just have to pretend to be a different person”. I guess yeah that is pretty difficult.
Yeah I mean it’s often said that any second factor is better than just password so it’s probably not a big deal. My issue is mostly that it’s an attack vector that could easily be eliminated. For example if banks allowed third party 2FA apps. I think I’ve read somewhere, that some banks even only allow hardware keys for business accounts which is honestly absurd.
My hope is actually that standard compliant (that’s the important bit) hardware keys and passkey, e.g. WebAuthn, get more broadly accepted. This way open source and hope hardware solutions, e.g NitroKey, would allow anybody on any OS supporting those standards (which does include Linux without proprietary blobs AFAICT) to work.
I honestly did not give much thought to the difficulty of pulling such attack off. With “not sophisticated” I just meant that it’s not complex to grasp. “You just have to pretend to be a different person”. I guess yeah that is pretty difficult.
Yeah I mean it’s often said that any second factor is better than just password so it’s probably not a big deal. My issue is mostly that it’s an attack vector that could easily be eliminated. For example if banks allowed third party 2FA apps. I think I’ve read somewhere, that some banks even only allow hardware keys for business accounts which is honestly absurd.
My hope is actually that standard compliant (that’s the important bit) hardware keys and passkey, e.g. WebAuthn, get more broadly accepted. This way open source and hope hardware solutions, e.g NitroKey, would allow anybody on any OS supporting those standards (which does include Linux without proprietary blobs AFAICT) to work.