🎣Phishing Resistance
This page describes phishing, how OTP Guard protects against certain attacks, and areas to be aware of
Last updated
This page describes phishing, how OTP Guard protects against certain attacks, and areas to be aware of
Last updated
Phishing is a type of online scam where criminals trick people into providing sensitive information like passwords, credit card numbers, or personal details. They usually do this by pretending to be a trustworthy source, like a bank, a popular website such as OTP Guard, or even someone you know.
OTP Guard features multiple layers of resistance to protect yourself and your organization against phishers and other attackers. This page describes some phishing vectors to be aware of, and how OTP Guard can help guard against those.
Github OAuth is the log-in mechanism for OTP Guard.
The OAuth login screen itself could be impersonated as part of a phishing scam - users could be tricked into giving up their GitHub credentials, which in turn could access OTP Guard.
To minimize the risks of a Github credential leak, whether through phishing or some other compromise, ensure 2FA is enabled for all Github accounts and follow Github security best practices. Ideally, 2FA would be in the form of a phishing-resistant security key or passkey. When logging in with Github, always check that the URL says github.com.
If GitHub credentials are compromised anyway, an attacker could gain access to OTP Guard. However, they would not be able to register new authenticators or authorize PRs due to the step up authentication built into OTP Guard.
Phishing Github is hard. Phishing both Github and OTP Guard is even harder, which substantially increases the barrier of entry for attackers.
Phishers do not generally have access to credentials for the target site - usually that is the thing they are trying to gain. OTP Guard features security images as a phishing-resistant feature. Without valid session credentials, the phisher would not be able to generate correct OTP Guard security images, and the phishing site should immediately appear suspicious.
If the security image does not appear correct, look closely at the URL in the browser - the host name should begin with https://dash.otpguard.com
Configuring OTP Guard with a WebAuthN authenticator - either a passkey or security key - makes phishing unlikely since the authenticator is tied to the dash.otpguard.com domain. This is enforced by the browser.
Existing WebAuthN authenticators would not work on a phished site. It is possible that someone could register a new authenticator and not notice it was for a different site. However, they would not be signing anything of value related to OTP Guard, because they can not actually update anything within OTP Guard itself, or set anything in GitHub related to OTP Guard, such as PR checks.
TOTP - the six-digit code displayed by apps such as Google Authenticator - are vulnerable to phishing, since the code can be relayed by the phisher to OTP Guard. However, the phisher would still need a valid OTP Guard session cookie to relay the code, which requires a Github credential compromise.
