Rendered at 00:46:50 GMT+0000 (Coordinated Universal Time) with Cloudflare Workers.
Terr_ 9 hours ago [-]
This isn't the "new thing to worry about" being emphasized, but:
> You chose to use a “sign in with <service>” login when you had to create an account, and it sent you through a realistic-looking login flow: a real-seeming Google/iCloud page, perhaps with your email already filled in. When you logged in to this site they used your entered password and subsequent “tap yes on your device” 2FA flow to log in to your account on their end (saving the session cookies), and made it look like a successful login on your end.
The security-hygiene rule to prevent this (which, alas, requires consistency and paranoia) is that passwords may only be entered into Google/iCloud/etc. when you directly visit the provider's site.
Once you know your browser is authenticated to the SSO provider, you reload the target page (e.g. the NDA signing platform) and expect that you will never need to enter a password again.
noisem4ker 7 hours ago [-]
The fact that your password manager wouldn't offer to fill-in the password field of the fake login page (due to the domain being unknown) should make you raise an eyebrow.
Terr_ 3 hours ago [-]
I say "hygiene" because--like handwashing after the toilet--it's something everyone can do without particular tools or expertise.
Archetypal Aunt Tillie's "password manager" will be a handwritten piece of paper, but the rule of "only log-in with this bookmark and assume other prompts are lies" will still work.
figassis 3 hours ago [-]
This. Depending on your policy or org’s policy, your auth session may be short lived. Going to Google to login and come back every hour is a worse experience. Use your password manager. It will bind the credentials to the domains.
metalman 2 hours ago [-]
Having hustled the mean streets in my teens and twenties, my sense of "no not right" is finely tuned, though I now have a business that puts my number on the net, several times and as the only customer faceing person, I answer the fucking phone and do my best to be helpfull ,polite, every time. I now have worked out a smooth method to deflect and decline, unless it is clearly ai, and I pull the plug as they "refine" the model bit by bit and close off "loopholes", but by then it's so vauge as to be clearly struggling, so.hanging up is the only option I have time for, but they still get 12 seconds.
> You chose to use a “sign in with <service>” login when you had to create an account, and it sent you through a realistic-looking login flow: a real-seeming Google/iCloud page, perhaps with your email already filled in. When you logged in to this site they used your entered password and subsequent “tap yes on your device” 2FA flow to log in to your account on their end (saving the session cookies), and made it look like a successful login on your end.
The security-hygiene rule to prevent this (which, alas, requires consistency and paranoia) is that passwords may only be entered into Google/iCloud/etc. when you directly visit the provider's site.
Once you know your browser is authenticated to the SSO provider, you reload the target page (e.g. the NDA signing platform) and expect that you will never need to enter a password again.
Archetypal Aunt Tillie's "password manager" will be a handwritten piece of paper, but the rule of "only log-in with this bookmark and assume other prompts are lies" will still work.