One of my old, rarely used computers had still an old password for my pyszne.pl / takeaway.com account stored in my browser's password manager. I tried to log into my account from that computer and saw a page saying that a one-time password was sent to an email address associated with the account that I am trying to use. I needed to provide this OTP before continuing.
I waited about 5 minutes until OTP popped in my mailbox and after providing it I was a bit shocked to see a message that the password that I have provided is incorrect. Verifying this in the browser's password manager confirmed the fact.
What am I missing here? What is the reason (or possible advantage) for sending OTP only after validating user name (email address) as existing and before verifying the password?
In all systems, except this one, I have used so far, this was exactly the opposite. First, try to authenticate user/check provided password and only if it is correct, then send the OTP to their email address.
http://dlvr.it/RzBQjV
G:7-Security (Cyber Security Research and Global Information Security Services)
No comments:
Post a Comment