Duo's Security Blog

OCTOBER 13, 2023

Multi-factor Authentication (MFA) protects your environment by guarding against password weaknesses with strong authentication methods. In today’s blog, we’re unpacking why MFA is a cornerstone topic in this year’s Cybersecurity Awareness Month and how it can keep your organization safe from potentially devastating cyber attacks.

Authentication 145

Authentication Accountability Passwords Mobile 145

The Last Watchdog

DECEMBER 6, 2021

This traditional authentication method is challenging to get rid of, mostly because it’s so common. Every new account you sign up for, application you download, or device you purchase requires a password. And for businesses, transitioning to new authentication solutions can be expensive and time-consuming.

Authentication 251

Authentication Passwords Mobile Phishing 251

The Last Watchdog

JULY 24, 2023

Not only are passwords vulnerable to brute force attacks, but they can also be easily forgotten and reused across multiple accounts. The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users. They are simply not good enough.

Authentication 245

Authentication Passwords Phishing Social Engineering 245

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. Image: Cloudflare.com. 2, and Aug. ” On July 28 and again on Aug.

Mobile 344

Mobile Phishing Authentication Accountability 344

Malwarebytes

JULY 30, 2024

If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer. Fake site leads to signed payload hosted on Github The fraudulent site chromeweb-authenticators[.]com

Authentication 140

Authentication Computers and Electronics Social Engineering Malware 140

Krebs on Security

MARCH 16, 2021

Lucky225 showed how anyone could do the same after creating an account at a service called Sakari , a company that helps celebrities and businesses do SMS marketing and mass messaging. From there, the attacker can reset the password of any account which uses that phone number for password reset links.

Telecommunications 363

Telecommunications Mobile Accountability Wireless 363

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. These services are springing up because they work and they’re profitable.

Passwords 348

Passwords Mobile Authentication Banking 348

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. Recently, I was opening a new bank account. Theyre checking live access to the email account with the one time code. When he did, they sent him a text message to authenticate him, and it says DO NOT share this access code with anyone.

Banking 130

Banking Passwords Password Management Authentication 130

Krebs on Security

SEPTEMBER 2, 2021

Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials. Because these accounts can all be cleaned out and deposited onto a gift card number that can be resold quickly online for 80 percent of its value.

Accountability 347

Accountability Authentication Passwords Hacking 347

Duo's Security Blog

SEPTEMBER 5, 2024

Before diving into the specifics of dormant accounts, it's important to take a step back and discuss a prerequisite: gaining cross-platform visibility into identity and access management data. And finally, individual users often have multiple accounts (Gmail, Yahoo, etc.) Why are dormant accounts a risk?

Accountability 142

Accountability Risk Passwords Authentication 142

Krebs on Security

OCTOBER 20, 2023

Okta , a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. ET: BeyondTrust has published a blog post about their findings. He said that on Oct 2.,

Social Engineering 356

Social Engineering Engineering Accountability Hacking 356

Cisco Security

MARCH 15, 2022

Guidance is provided in the Recommendations and Best Practices section of this blog. According to the FBI’s bulletin, cyber actors were able to obtain access to primary credentials for users with Duo accounts that did not have an enrolled multi-factor authentication (MFA) device.

Authentication 144

Authentication Passwords Accountability Government 144

Krebs on Security

NOVEMBER 21, 2020

And in May of this year, GoDaddy disclosed that 28,000 of its customers’ web hosting accounts were compromised following a security incident in Oct. “This gave the actor the ability to change DNS records and in turn, take control of a number of internal email accounts. . 2019 that wasn’t discovered until April 2020.

Cryptocurrency 364

Cryptocurrency VPN Scams Social Engineering 364

Schneier on Security

FEBRUARY 3, 2021

Details are in the Microsoft blog: We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices.

Computers and Electronics 363

Computers and Electronics Malware Software Government 363

The Last Watchdog

SEPTEMBER 24, 2024

Rather, we should treat SSN as just another piece of personally identifiable information (PII) like an email address – confidential information but not a sensitive one that unlocks your bank accounts. Governments can create a digital identity at birth to replace SSN in its current use. That identity is tied to specific vendors.

Authentication 216

Authentication Identity Theft Banking Data breaches 216

Duo's Security Blog

JUNE 8, 2023

Some of it is positive, but the general consensus is that people don’t love multi-factor authentication (MFA); they see it as a necessary evil at best. That’s why I’m so excited to announce our vision to streamline Duo’s authentication workflows, a feature that will deliver seamless, secure login experiences.

Authentication 144

Authentication VPN System Administration Engineering 144

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. It is a program that must coordinate people, tools, and processes, and also account for human error. Errors cannot be prevented, but their effects can be.

Authentication 222

Authentication CISO Passwords Software 222

Hacker's King

JANUARY 1, 2025

You may also like to read: Instagram Hacked: Top 5 Ways to Protect Your Account Ways to Secure Your Twitter Account Set a Strong Password - Setting a strong password is the very first step to secure your Twitter account. Enable Two-Factor Authentication - Adding Two-Factor Authentication means adding an extra layer of security.

Accountability 52

Accountability Hacking Passwords Scams 52

Graham Cluley

MARCH 27, 2024

Hardware wallet manufacturer Trezor has explained how its Twitter account was compromised - despite it having sensible security precautions in place, such as strong passwords and multi-factor authentication. Read more in my article on the Hot for Security blog.

Accountability 120

Accountability Cryptocurrency Manufacturing Passwords 120

IT Security Guru

FEBRUARY 25, 2025

A prime example is multi-factor authentication (MFA), a security process that requires users to verify their identity in two or more ways, such as a password, a code sent to their phone, or a fingerprint. Cyber crooks often bank on organisations thinking of MFA as a silver bullet for account security, but it isnt.

Social Engineering 118

Social Engineering Authentication Risk Accountability 118

Anton on Security

OCTOBER 12, 2022

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blog for #2 , my unofficial blog for #3 ).

Cybersecurity 246

Cybersecurity Malware Accountability Passwords 246

Google Security

MAY 5, 2023

Passkeys are a new, passwordless authentication method that offer a convenient authentication experience for sites and apps, using just a fingerprint, face scan or other screen lock. Learn more on how passkey works under the hood in our Google Security Blog. Figure 1: authentication success rate with passkey vs password.

Authentication 122

Authentication Passwords Technology Password Management 122

IT Security Guru

JUNE 13, 2024

These attackers appear to be using the stolen GitHub credentials of users who have not enabled two-factor authentication (2FA). Our data shows that between 93-97% of OX Security users have activated two-factor authentication (2FA), which helps keep accounts, data, and secrets private.

Backups 134

Backups Authentication Data breaches Social Engineering 134

Malwarebytes

OCTOBER 6, 2023

Recently, Amazon announced that it will require all privileged Amazon Web Services (AWS) accounts to use multi-factor authentication (MFA) , starting in mid-2024. Our regular readers will know that we feel that passwords alone are not adequate protection , especially not for your important accounts. Get a free trial below.

Authentication 132

Authentication Passwords Social Engineering Accountability 132

The Last Watchdog

JULY 11, 2024

Related: Passwordless workpace long way off However, as users engage with more applications across multiple devices, the digital security landscape is shifting from passwords and password managers towards including passwordless authentication, such as multi-factor authentication (MFA), biometrics, and, as of late, passkeys.

Authentication 124

Authentication Passwords Malware Accountability 124

Krebs on Security

DECEMBER 4, 2018

I asked if this notice had been sent to everyone, and inquired whether ShareFile offers any form(s) of multi-factor authentication options that customers could use to supplement the security of passwords. We did not enforce a password reset on accounts that are using more stringent authentication controls [emphasis added].

Passwords 253

Passwords Authentication Accountability Password Management 253

eSecurity Planet

DECEMBER 4, 2024

David Weston, VP of enterprise and OS security, said in a blog post , “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers.” Users will be given standard user accounts by default. Data Protection Windows 11 Enterprise introduced a new Personal Data Encryption feature.

Encryption 108

Encryption Phishing Passwords Authentication 108

Malwarebytes

SEPTEMBER 1, 2023

Not long ago I wrote about a recent campaign to hold LinkedIn users' accounts to ransom. Since he doesn’t use the LinkedIn app on his mobile he checked his account on his laptop first thing in the morning. A reset of the account’s password worked, but failed to remove the unwanted active session.

Accountability 135

Accountability Passwords Mobile Authentication 135

Duo's Security Blog

MAY 23, 2024

When reading the title of this blog, you might be wondering to yourself why RADIUS is being highlighted as a subject — especially amidst all of the advancements of modern authentication we see taking place recently. Instead, it supports a variety of authentication protocols , including EAP, PAP, CHAP, and others. What is RADIUS?

Authentication 111

Authentication Wireless Passwords Encryption 111

Troy Hunt

APRIL 5, 2023

Specific guidance prepared by the FBI in conjunction with the Dutch police on further steps you can take to protect yourself are detailed at the end of this blog post on the gold background. We implement two factor authentication. Or that "data is the currency of the digital economy"? We block known breached passwords.

Marketing 355

Marketing Passwords Authentication Accountability 355

Krebs on Security

APRIL 6, 2022

Microsoft blogged about its attack at the hands of LAPSUS$, and about the group targeting its customers. “They would just keep jamming a few individuals to get [remote] access, read some onboarding documents, enroll a new 2FA [two-factor authentication method] and exfiltrate code or secrets, like a smash-and-grab,” the CXO said.

Social Engineering 294

Social Engineering Phishing Engineering Accountability 294

Krebs on Security

JULY 31, 2024

More than a million domain names — including many registered by Fortune 100 firms and brand protection companies — are vulnerable to takeover by cybercriminals thanks to authentication weaknesses at a number of large web hosting providers and domain registrars, new research finds. Image: Shutterstock. Image: Infoblox.

DNS 316

DNS Internet Internet Phishing 316

Krebs on Security

MAY 10, 2019

From there, the attackers simply start requesting password reset links via text message for a variety of accounts tied to the hijacked phone number. million stealing cryptocurrencies and extorting people for restoring access to social media accounts that were hijacked after a successful SIM-swap.

Mobile 256

Mobile Identity Theft Accountability Cryptocurrency 256

Krebs on Security

JUNE 27, 2023

On July 16, 2020 — the day after some of Twitter’s most recognizable and popular users had their accounts hacked and used to tweet out a bitcoin scam — KrebsOnSecurity observed that several social media accounts tied to O’Connor appeared to have inside knowledge of the intrusion. I haven’t done anything.”

Cryptocurrency 276

Cryptocurrency Accountability Mobile Hacking 276

Duo's Security Blog

FEBRUARY 13, 2025

In one of their documented cases, an organization reported that 13 million authentication attempts were made in 24 hours against known accounts. In the case of password spray, looking for startling increase in authentication traffic can be vital.

Authentication 80

Authentication Accountability Passwords Risk 80

Duo's Security Blog

MAY 6, 2024

The security industry has diligently battled compromised credentials, evolving from passwords to multifactor authentication (MFA) to passwordless — our most secure and phishing-resistant method to date — and one that is fully supported in Duo. This means there are serious holes in our authentication armor today. The benefit is twofold.

Authentication 95

Authentication Accountability VPN Phishing 95

Krebs on Security

SEPTEMBER 5, 2023

Importantly, none appeared to have suffered the sorts of attacks that typically preface a high-dollar crypto heist, such as the compromise of one’s email and/or mobile phone accounts. “If you have my seed phrase, you can copy and paste that into your wallet, and then you can see all my accounts.

Cryptocurrency 362

Cryptocurrency Passwords Encryption Accountability 362