At least in theory, it's actually relatively simple to mount a phishing site against 2FA. Imagine you browse to a phishing site ( that looks like the Google login page. It asks you for email, and then password. The phising site then tries to log in as you into the real Google, but receives an error of 2FA required. It then prompts you for the 2FA token, and you enter the token. The phishing site can forward the token to Google and complete the login.

In practice, there are a lot of details that make such a phishing site pretty hard to build against Google itself, but you get the idea.

The point of security keys and U2F is that they sign a one-time code AND the domain of the site that you're visiting. So, even if the phishing site forwards this signature to Goolge, the signature will be invalid (in contains instead of Does this makes sense?


Forging the Everdragons2 NFT. Former security at Pinterest.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store