1

Bad 2FA

When log in, hit forgot password, type in your email adress, click the change passwpord link, change password and hit the button. Now you are logged in to nextddns account. BUT YOU DID NOT ENTER A 2FA CODE. This bypasses the 2FA code.  Stupid 2FA security.

4 replies

null
    • Calvin_Hobbes
    • 1 yr ago
    • Reported - view

    Well, if someone already has access to your email account, yeah….That’s the least of your worries.    Once your email has been compromised just about everything account you have could be owned.

      • Pro subscriber ✓
      • DynamicNotSlow
      • 1 yr ago
      • Reported - view

      Calvin Hobbes doesn't change the fact that this kind of 2FA bypass is weak and should be fixed.

      • Chris_Leidich
      • 1 yr ago
      • Reported - view

      Calvin Hobbes Agree - in this case your access to a separate, related account (your email) which is also protected by a separate MFA acts as the second factor. A prompt on NextDNS after clicking the link would not hurt but would be redundant.

      • iOS Developer
      • Rob
      • 1 yr ago
      • Reported - view

      Chris Leidich But isn’t e-mail more like a postcard that “anyone” (any of the hubs between NextDNS and your mail provider) can read (and thus click the link) while it is in transmit?

      (Without knowing the password/2FA of your mail account)

Content aside

  • 1 Likes
  • 1 yr agoLast active
  • 4Replies
  • 90Views
  • 4 Following