You can't reliably fix this as a website. You can try to resolve this on the client by using the websites origin as part of the 2FA challenge (which is what U2F does) but ultimately there's no good, universal solution for this.
It's also important to note that 2FA was never meant to solve phishing, it was meant to solve password reuse. Phishing is still pretty much unsolved.
> One of such defenses I uncovered during testing is using javascript to check if window.location contains the legitimate domain. These detections may be easy or hard to spot and much harder to remove, if additional code obfuscation is involved.
7 comments
[ 19.0 ms ] story [ 192 ms ] threadIt's also important to note that 2FA was never meant to solve phishing, it was meant to solve password reuse. Phishing is still pretty much unsolved.
https://github.com/UndeadSec/EvilURL - Generate unicode evil domains for IDN Homograph Attack and detect them.
https://github.com/elceef/dnstwist - Domain name permutation engine for detecting typo squatting, phishing and corporate espionage
Then, either buy (if you can afford them all) or block them (don't serve your pages to these domains )
> One of such defenses I uncovered during testing is using javascript to check if window.location contains the legitimate domain. These detections may be easy or hard to spot and much harder to remove, if additional code obfuscation is involved.