With TOTP, it is possible to intercept the code using a reverse proxy. This has always been the case and for a long time there have been open source packages that make this fairly easy.
If you set up a reverse proxy on pr0t0nmail.com for example (zeros instead of o), which hooks everything up to the normal domain, you can intercept the code. Or even easier, you don’t even need the code because you can intercept and use the session cookie.
So if you can get someone to go to pr0t0nmail.com with a phishing email, and everything is restricted to the proxy, you are in place because there is no TOTP “check”
Like I said, there were already open source packages available for reverse proxy phishing which makes this fairly easy for the “big players” like Facebook, Office 365, etc. But with enough knowledge, anyone can do this for almost any site using TOTP. But it got worse this year because now there are a number of services where everything is taken care of for you. Phishing as a Service.
Any script kid can do this with little money without knowing how it works. Pay money, register a domain, run a script et voila, a phishing site is complete and up and running with TOTP support (and other OTP mechanisms too, like push notifications on your phone).
Just read this: https://resecurity.com/b…ypass-emerged-in-dark-web
It even needs a video tutorial with the steps for a Microsoft phishing site. The video is 4 minutes long and includes the images that the user (the victim) sees…
U2F/FIDO protects against this because it is a client/server model. When the client (your web browser in this case) talks to pr0t0nmail.com, it doesn’t have a key for that domain, so no authentication can be done. Voila, you don’t have to worry! (Ok, that’s a little, because the phishing site intercepted your password and username. So hopefully your password is unique….)
That’s why I always use my yubikey on any important site and have support for it. And I have my important domains on Protonmail, so I’m using Yubikey there now too. Although it still has TOTP as a backup, it’s still more secure because I only use yubikey, and if that doesn’t work, I know something is going on.
“Web maven. Infuriatingly humble beer geek. Bacon fanatic. Typical creator. Music expert.”