Comment by patrakov
3 months ago
No. It only proves that TOTP, as implemented by mobile apps, is useless against phishing.
The extension from https://authenticator.cc, with smart domain match enabled, would have caught this by showing all other TOTP codes besides the one intended by NPM.
On a Mac, Keychain would also have caught this by not autofilling: https://support.apple.com/en-ph/guide/passwords/mchl873a6e72...
No comments yet
Contribute on Hacker News ↗