The mechanism by which you enter an email address or phone number and a 6-digit code is sent to log in is the 'worst password system', so it is pointed out that it needs to be renovated immediately

When logging in to an app or service, you often have to authenticate by entering your email address or phone number and a one-time password sent via email or text message. Engineer Daniel Huang points out that this type of login process is extremely dangerous in terms of account security.

We replaced passwords with something worse | Blog - Daniel Huang

https://blog.danielh.cc/blog/passwords

' Two-factor authentication ,' which involves logging in not only by entering a password on the login screen but also by using a verification code sent to your email address or phone number, is highly valued as a powerful security measure. However, according to security company Double Octopus, two-factor authentication is only slightly better than a password alone, and is considered to be almost useless to hackers.

'Two-factor authentication' using authentication numbers sent to phone numbers is no longer safe - GIGAZINE

While two-factor authentication strengthens password protection even slightly, some login processes require users to enter their registered email address or phone number and enter a disposable code they receive to temporarily log in if they forget their password. This login process poses a significant security risk and is the 'worst system,' Fan said.

For example, the video below explains a scam that involves hijacking one-time passcodes via a Discord server.

Discord's Minecraft Verification Scam! - YouTube


Hackers first invite users to a Discord server that promises free Minecraft items. The server uses voice chat to communicate with users, offering deals and free items. To join the voice chat, users must authenticate with a bot linked to the Discord server.

To authenticate, enter your Minecraft username and registered email address. The yellow area in the input box has a warning saying, 'Do not share your password or other sensitive information.' However, No Text To Speech, who posted the movie, points out that 'it's strange that you need an email address to authenticate your Minecraft account in the first place.'

Once you authenticate with the bot, you will receive a one-time passcode from your Microsoft account to your email address.

Return to the authentication bot opened from Discord and enter the one-time passcode to complete the authentication.

However, at this time, the server administrator is attempting to take over the user's account. They access the account without permission using the email address entered by the user, issue a one-time password for logging in, and ask the user to provide it. As a result, the authentication bot steals the user's email address and one-time passcode, which the attacker can use to take over the Minecraft account.

Hackers can obtain email addresses and one-time passwords simply by interposing themselves between the legitimate login service and the victim. Furthermore, a major problem with this attack is that the one-time passwords sent to users' email addresses or phone numbers are sent from legitimate services, making it difficult to detect the scam. This is a fairly simple attack method, and no matter how complex the password, it cannot be prevented, making it extremely dangerous to account security.

In fact, Google believes two-factor authentication poses a security risk and has announced plans to replace the process of sending a six-digit authentication code via SMS with scanning a displayed QR code.

Google is replacing Gmail's two-factor authentication with QR codes instead of six-digit authentication codes - GIGAZINE

Hacker News, a social news site, pointed out further problems with one-time password logins. One user who reported receiving multiple notifications each day stating that a 'Microsoft account password reset has been requested' included a six-digit account recovery code, suggesting that each notification poses a one in a million chance of having their account stolen. Another user noted that the one-time password itself is sent from a legitimate email address, making it easier to fool than simply giving up your password, and that clicking on a link in the email is a relatively better option.