back

Domain Matching 2FA

Unphishable authentication doesn't exist; but it is possible to make deception more difficult. I'm going to present an approach that eliminates some potential attacks.

TL;DR: Number matching 2FA with domains instead of numbers

Let's look at an example of number matching 2FA:

number matching 2FA requires the user to enter the code shown on the site into an authenticator app (Source)

While more secure than ordinary push 2fa, users that don't read the hostname could still be phished. Domain matching 2FA solves this problem by replacing the number with a domain.
Let's take a look at this in action.

domain matching 2FA requires the user to enter the domain shown by the browser into an authenticator app

Here are a couple of notes:

What if I don't want to buy a bunch of domains?

Really? Huh. I guess that makes sense, not everyone likes buying domains for side projects that are never finished. Luckily, there is an alternative approach that you probably already thought of.

domain matching with the path instead of the hostname This definitely won't confuse anyone

This approach is slightly worse than the previous example, as the user might not look at the hostname. However, it does still force users to look at the URL bar.

A Short Conclusion

This is probably worth looking into further. After doing incredibly thorough research (a single search and asking chatGPT), I wasn't able to find any previous work on this. It seems like a pretty obvious idea, so feel free to email me if you find any.