Authentication and Blog - Cyber Security Informer

On Risk-Based Authentication

Schneier on Security

OCTOBER 5, 2020

A Study on Usability and Security Perceptions of Risk-based Authentication “: Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. I’ve blogged about risk-based authentication before. Paper’s website.

Authentication

Authentication Risk Passwords

GUEST ESSAY: How the FIDO Alliance helps drive the move to passwordless authentication

The Last Watchdog

DECEMBER 6, 2021

This traditional authentication method is challenging to get rid of, mostly because it’s so common. And for businesses, transitioning to new authentication solutions can be expensive and time-consuming. It supports standards that make implementing newer, stronger authentication methods possible for businesses.

Authentication

Authentication Passwords Mobile Phishing

GUEST ESSAY: The case for shifting to ‘personal authentication’ as the future of identity

The Last Watchdog

FEBRUARY 3, 2022

I currently have over 450 accounts that use passwords combined with a variety of two-factor authentication methods. Related: How the Fido Alliance enables password-less authentication. Only a dozen or so of my accounts get authenticated via self-hosted services. Sharing protocols.

Authentication

Authentication Passwords Accountability Technology

Webinars

How to Avoid Pitfalls In Automation: Keep Humans In the Loop

MORE WEBINARS

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

The Last Watchdog

JULY 24, 2023

The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users. Attackers will continue to find ways to breach our systems, and authentication cryptography will become increasingly vulnerable to attack. Some solutions do this today.

Authentication

Authentication Passwords Phishing Social Engineering

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

The Last Watchdog

DECEMBER 6, 2022

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure. Underscoring this trend, Uber was recently hacked — through its authentication system. The best possible answer is coming from biometrics-based passwordless, continuous authentication.

Authentication

Authentication Healthcare Artificial Intelligence Passwords

Threat actor impersonates Google via fake ad for Authenticator

Malwarebytes

JULY 30, 2024

If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer. Fake site leads to signed payload hosted on Github The fraudulent site chromeweb-authenticators[.]com

Authentication

Authentication Computers and Electronics Social Engineering Malware

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Engineering

Engineering Phishing Banking Authentication

How to Protect Your Accounts with Multi-Factor Authentication

Duo's Security Blog

OCTOBER 13, 2023

Multi-factor Authentication (MFA) protects your environment by guarding against password weaknesses with strong authentication methods. In today’s blog, we’re unpacking why MFA is a cornerstone topic in this year’s Cybersecurity Awareness Month and how it can keep your organization safe from potentially devastating cyber attacks.

Authentication

Authentication Accountability Passwords Mobile

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

JANUARY 7, 2025

Lookout researchers discovered multiple voice phishing groups were using a new phishing kit that closely mimicked the single sign-on pages for Okta and other authentication providers. The image that Lookout used in its blog post for Crypto Chameleon can be seen in the lower right hooded figure. “ Annie.”

Phishing

Phishing Cryptocurrency Accountability Social Engineering

Opening the Black Box of Risk-Based Authentication

Duo's Security Blog

JUNE 25, 2024

Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA requirements based on the level of risk an individual login attempt poses to an organization. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor. Will users get blocked?

Authentication

Authentication Risk Artificial Intelligence Engineering

Gus Simmons’s Memoir

Schneier on Security

MARCH 25, 2022

I know him best for his work on authentication and covert channels, specifically as related to nuclear treaty verification. More blog posts. His work is cited extensively in Applied Cryptography. He has written a memoir of growing up dirt-poor in 1930s rural West Virginia.

Authentication

Making Seamless Authentication a Reality for MSP Customers

Duo's Security Blog

APRIL 3, 2025

While the enforcement of multi-factor authentication (MFA) makes logging in more secure, it inevitably runs the risk of adding steps to a process users already find annoying. While this may avoid authentication fatigue, it certainly risks and may even violate some security standards.

Authentication

Authentication Passwords Risk VPN

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. Related: The coming of agile cryptography These secrets work similarly to passwords, allowing systems to interact with one another.

Authentication

Authentication CISO Passwords Software

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

Duo's Security Blog

MAY 2, 2024

We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, available in Public Preview May 2024! External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set.

Authentication

Authentication Phishing Passwords Risk

Windows Hello fingerprint authentication can be bypassed on popular laptops

Malwarebytes

NOVEMBER 24, 2023

Researchers have found several weaknesses in Windows Hello fingerprint authentication on Dell Inspiron 15, Lenovo ThinkPad T14, and Microsoft Surface Pro X laptops. They found vulnerabilities that allowed them to completely bypass Windows Hello authentication on all three. The input has to be authenticated.

Authentication

Authentication Manufacturing Engineering Hacking

Guest Blog: Ox Security on learning from the Recent GitHub Extortion Campaigns

IT Security Guru

JUNE 13, 2024

These attackers appear to be using the stolen GitHub credentials of users who have not enabled two-factor authentication (2FA). Our data shows that between 93-97% of OX Security users have activated two-factor authentication (2FA), which helps keep accounts, data, and secrets private.

Backups

Backups Authentication Data breaches Social Engineering

Change Healthcare Breach Hits 100M Americans

Krebs on Security

OCTOBER 30, 2024

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

Healthcare

Healthcare Insurance Computers and Electronics Data breaches

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

The Last Watchdog

SEPTEMBER 24, 2024

About the essayist: Ambuj Kumar is Co-founder and CEO of Simbian , AI Agents for cybersecurity The post GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator first appeared on The Last Watchdog.

Authentication

Authentication Identity Theft Banking Data breaches

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. Image: Cloudflare.com. ” On July 28 and again on Aug. In an Aug.

Mobile

Mobile Phishing Authentication Accountability

Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication

Duo's Security Blog

OCTOBER 23, 2024

Available now in all paid Duo subscriptions The launch of Duo Mobile in the early 2010s changed how businesses enabled secure authentication. Other means of authentication outside of smartphones — hardware tokens, phone call authentication, SMS, etc. have proven to be either antiquated, expensive or vulnerable.

Authentication

Authentication Mobile Manufacturing Risk

Threat Modeling and Logins

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. When he did, they sent him a text message to authenticate him, and it says DO NOT share this access code with anyone. Ok, technically theres more lessons, which are in this blog post, but you know what I mean. Happier customers. Less frustration.

Banking

Banking Passwords Password Management Authentication

On the Insecurity of ES&S Voting Machines’ Hash Code

Schneier on Security

MARCH 16, 2021

Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&S’s software authentication system: It turns out that ES&S has bugs in their hash-code checker: if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error.

Authentication

Authentication Software

No, I Won't Link to Your Spammy Article

Troy Hunt

APRIL 6, 2020

That email would have been a reply to one you originally sent to me that would have sounded something like this: Hi, I came across your blog on [thing] and I must admit, it was really nicely written. I also have an article on [thing] and I think it would be a great addition to your blog. On a popular blog. Just the title.

Advertising

Advertising Internet Internet VPN

GUEST ESSAY: How cybercriminals are using ‘infostealers’ to sidestep passwordless authentication

The Last Watchdog

JULY 11, 2024

Related: Passwordless workpace long way off However, as users engage with more applications across multiple devices, the digital security landscape is shifting from passwords and password managers towards including passwordless authentication, such as multi-factor authentication (MFA), biometrics, and, as of late, passkeys.

Authentication

Authentication Passwords Malware Accountability

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. That is true two-factor authentication: Something you have, and something you know (and maybe also even something you are).

Passwords

Passwords Mobile Authentication Banking

The Front Door Just Got a Lot Harder to Break Into: Announcing Passwordless Authentication for Windows Logon

Duo's Security Blog

MAY 15, 2024

In the world of access management, we have seen wide deployment of multi-factor authentication (MFA) at the point of the Operating System (OS) to invoke the layer of something you know (i.e., See the video at the blog post. a password) and something you have (i.e., a registered device).

Authentication

Authentication Social Engineering Passwords Engineering

More SolarWinds News

Schneier on Security

FEBRUARY 3, 2021

Details are in the Microsoft blog: We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices.

Computers and Electronics

Computers and Electronics Malware Software Government

Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

Security Boulevard

MARCH 31, 2025

Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication (BOLA) and broken function-level authentication (BFLA), remain almost impossible to detect.

Risk

Risk Authentication

PTZOptics cameras zero-days actively exploited in the wild

Security Affairs

NOVEMBER 2, 2024

is an inadequate authentication mechanisms that could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data. “Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.”

Firmware

Firmware Manufacturing IoT Healthcare

Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Anton on Security

OCTOBER 12, 2022

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blog for #2 , my unofficial blog for #3 ).

Cybersecurity

Cybersecurity Malware Accountability Passwords

GUEST ESSAY: Ponemon study warns: AI-enhanced deepfake attacks taking aim at senior execs

The Last Watchdog

APRIL 22, 2025

Typically, the attacker collects authentic media samples of their target, including still images, videos, and audio clips, to train the deep learning model. The more training data used, the more authentic the deepfake appears.

Authentication

Authentication Social Engineering Technology Media

Can We Stop Pretending SMS Is Secure Now?

Krebs on Security

MARCH 16, 2021

An expert on SIM-swapping attacks who’s been quoted quite a bit on this blog , Nixon said she also had Lucky225 test his interception tricks on her mobile phone, only to watch her incoming SMS messages show up on his burner phone. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code.

Telecommunications

Telecommunications Mobile Accountability Wireless

Understanding MFA Fatigue: Why Cybercriminals Are Exploiting Human Behaviour

IT Security Guru

FEBRUARY 25, 2025

A prime example is multi-factor authentication (MFA), a security process that requires users to verify their identity in two or more ways, such as a password, a code sent to their phone, or a fingerprint. Advanced authentication systems can analyse contextual factors, like location, device, and login behaviour, to detect anomalies.

Social Engineering

Social Engineering Authentication Risk Accountability

Microsoft Announces Security Update with Windows Resiliency Initiative

eSecurity Planet

DECEMBER 4, 2024

David Weston, VP of enterprise and OS security, said in a blog post , “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers.” This includes strengthening password policies, implementing multi-factor authentication, and leveraging advanced threat detection techniques.

Encryption

Encryption Phishing Passwords Authentication

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

. “A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Kayamori said in a blog post. authenticate the phone call before sensitive information can be discussed.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

XE Group shifts from credit card skimming to exploiting zero-days

Security Affairs

FEBRUARY 10, 2025

CVE-2024-57968 allows remote authenticated users to upload files to unintended folders, while CVE-2025-25181 is an SQL injection flaw enabling remote SQL execution (no patch available). The group was also observed exploiting vulnerabilities in Telerik UI such as CVE-2017-9248 and CVE-2019-18935. .

Manufacturing

Manufacturing Cybercrime Passwords Authentication

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Krebs on Security

SEPTEMBER 2, 2021

Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials. “For context, our research indicates that multi-factor authentication prevents more than 99.9%

Accountability

Accountability Authentication Passwords Hacking

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Krebs on Security

FEBRUARY 8, 2021

Perhaps the biggest selling point for U-Admin is a module that helps phishers intercept multi-factor authentication codes. Qbot) — to harvest one-time codes needed for multi-factor authentication. 2020 blog post on an ongoing Qakbot campaign that was first documented three months earlier by Check Point Research.

Phishing

Phishing Scams Banking Mobile

Humans are Bad at URLs and Fonts Don’t Matter

Troy Hunt

OCTOBER 28, 2020

Everything becomes clear(er) if I manually change the font in the browser dev tools to a serif version: The victim I was referring to in the opening of this blog post? Obviously, the image is resized to the width of paragraphs on this blog, give it a click if you want to check it out at 1:1 size. What's the solution here?

Phishing

Phishing Password Management Passwords Internet

The Strengths and Weaknesses of MFA Methods Against Cyberattacks: Part 3

Duo's Security Blog

FEBRUARY 29, 2024

The choice of authentication methods plays a key role in defending against identity threats. In the first two blogs of this three-part series, we discussed the MFA methods available to users and their strengths and weaknesses in defending against five types of cyberattack. What authentication methods are right for you?

Authentication

Authentication Social Engineering Phishing Software

Hackers Stole Access Tokens from Okta’s Support Unit

Krebs on Security

OCTOBER 20, 2023

Okta , a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. ET: BeyondTrust has published a blog post about their findings. Update, 2:57 p.m.

Social Engineering

Social Engineering Engineering Accountability Hacking

Introducing Duo Wear: Seamless MFA From Your Wrist!

Duo's Security Blog

APRIL 24, 2025

Were thrilled to announce Duo Wear , a companion app for Duo Mobile that brings fast and easy multi-factor authentication (MFA) to your Wear OS smartwatch! Its quick, simple, and offers a frictionless authentication experience. What is Duo Wear? Duo Wear is an app designed specifically for Wear OS smartwatches. Why Make a Wear OS App?

Authentication

Authentication Mobile Technology

Strengths and Weaknesses of MFA Methods Against Cyberattacks: Part 1

Duo's Security Blog

FEBRUARY 26, 2024

Administrators and end-users of a multi-factor authentication (MFA) product like Duo’s face a variety of options for how to authenticate. In this first blog of a three-part series, we’ll define four categories of authentication methods encompassing a broad array of device types.

Authentication

Authentication Mobile Passwords Software

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Malwarebytes

JANUARY 15, 2025

Interestingly, the malicious ad we found was for Google Authenticator, despite the obvious ads-goo[.]click There is also a distant feel of ‘software download via Google ads’ we have reported on previously (see Threat actor impersonates Google via fake ad for Authenticator ). click domain name.

Advertising

Advertising Accountability Phishing Scams

On Risk-Based Authentication

GUEST ESSAY: How the FIDO Alliance helps drive the move to passwordless authentication

Webinars

Trending Sources

GUEST ESSAY: The case for shifting to ‘personal authentication’ as the future of identity

Webinars

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

Threat actor impersonates Google via fake ad for Authenticator

Crooks bank on Microsoft’s search engine to phish customers

How to Protect Your Accounts with Multi-Factor Authentication

A Day in the Life of a Prolific Voice Phishing Crew

Opening the Black Box of Risk-Based Authentication

Gus Simmons’s Memoir

Making Seamless Authentication a Reality for MSP Customers

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

Windows Hello fingerprint authentication can be bypassed on popular laptops

Guest Blog: Ox Security on learning from the Recent GitHub Extortion Campaigns

Change Healthcare Breach Hits 100M Americans

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

How 1-Time Passcodes Became a Corporate Liability

Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication

Threat Modeling and Logins

On the Insecurity of ES&S Voting Machines’ Hash Code

No, I Won't Link to Your Spammy Article

GUEST ESSAY: How cybercriminals are using ‘infostealers’ to sidestep passwordless authentication

The Rise of One-Time Password Interception Bots

The Front Door Just Got a Lot Harder to Break Into: Announcing Passwordless Authentication for Windows Logon

More SolarWinds News

Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

PTZOptics cameras zero-days actively exploited in the wild

Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

GUEST ESSAY: Ponemon study warns: AI-enhanced deepfake attacks taking aim at senior execs

Can We Stop Pretending SMS Is Secure Now?

Understanding MFA Fatigue: Why Cybercriminals Are Exploiting Human Behaviour

Microsoft Announces Security Update with Windows Resiliency Initiative

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

XE Group shifts from credit card skimming to exploiting zero-days

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Humans are Bad at URLs and Fonts Don’t Matter

The Strengths and Weaknesses of MFA Methods Against Cyberattacks: Part 3

Hackers Stole Access Tokens from Okta’s Support Unit

Introducing Duo Wear: Seamless MFA From Your Wrist!

Strengths and Weaknesses of MFA Methods Against Cyberattacks: Part 1

The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads

Stay Connected