Riot Games deployed multifactor auth in basically the worst way they could:

1) *only* email 2FA is supported, no TOTP
2) The code is shown in the subject line, making it trivial to steal from streamers, or participants in a video call, or anybody who can wake up a target's phone (no unlock needed)
3) Enrolling your account forwards you through an absolute fuckton of redirects to unrelated domains, including sites for Riot's other games, and their eSpOrTs site.

Abysmal failure.


Now, they did exactly one thing right:

They don't ask permission to send the code when you log in. They just send it.

Asking things like "Where would you like us to send the code?" or "Is it alright if we send you the code?" gives an attacker a chance to back out before the notification alerts the account owner to the potential breach.

Your auth systems should make attackers noisy. We like noisy attackers.

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.