Wednesday’s post said that the breached employee accounts were protected by 2FA, which typically requires people to take an extra step beyond entering a password when accessing an account from a new computer. In most cases, the extra step is the entering of a one-time password (OTP) that’s sent to or generated by a mobile phone. More secure yet, the 2FA is in the form of a cryptographic token sent by a security key attached to a device logging in. The 2FA protecting the Reddit accounts, however, relied on OTPs sent through SMS messages, despite reports over the years (such as this one) that make it amply clear they are susceptible to interception.
Read 5 remaining paragraphs | Comments