[liberationtech] Time validation for 2-step verification codes
Bill Woodcock
woody at pch.net
Wed Aug 27 09:45:00 PDT 2014
On Aug 27, 2014, at 8:29 AM, Amin Sabeti <aminsabeti at gmail.com> wrote:
> Recently, a bunch of Iranian journalists/ activists have been targeted by Iranian hackers.
> Some of them said their 2-step verification was active during the attack but hacker could reuse the code that sent by Google via SMS and passed 2-step verification!
> I was wonder to know if some folks here know the validation time for the 2-step verification code that users receive through SMS not the app.
I just checked with Google security, and this was the response:
> I think the code lasts as long as the one displayed on a phone... I
> suspect that even in the case where the code is 'short lived' getting
> it over SMS is considered 'insecure' and really, really not the best
> plan :(
>
> android/i-device/blackberry all have OTP apps that work with google's
> 2-step, suggest that they use that instead of sms?
…for the same reasons Richard Brooks outlined in his reply.
-Bill
More information about the liberationtech
mailing list