Amnesty International this week released a report detailing how hackers can automatically bypass multifactor authentication (MFA) when the second factor is a text message, and they’re using this tactic to break into Gmail and Yahoo accounts at scale.
MFA is generally recommended; however, its security varies depending on the chosen factor. Consumers prefer second-factor codes sent via text messages because they’re easy to access. Unfortunately for some, cybercriminals like them for the same reason.
Read more about the findings of the report on DarkReading.
A poorly secured database exposed at least 26 million text messages, password reset links and codes, two-factor verification codes, temporary passwords, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.
The leaky database, owned by communications firm Vovox, was found on Shodan by Sébastien Kaul, a security researcher based in Berlin. Kaul discovered the database lacked password protection and left names, phone numbers, and text messages easily searchable. Vovox took down the database after it was contacted with an inquiry from TechCrunch.
Read more about how the exposed data put people risk on DarkReading.
Microsoft is hoping to finally kill passwords within businesses with its latest upgrade to its Microsoft Authenticator App.The password is increasingly viewed as an insecure way to authenticate users, with employees often resorting to weak passwords as they try to keep up with corporate demands for frequent changes.
The Microsoft Authenticator app eliminates the need for passwords, by offering authentication via a combination of phone and fingerprint, face or PIN for a more secure, multi-factor sign-in. Now Microsoft has extended its support for passwordless login using the app to the hundreds of thousands of Azure Active Directory-connected apps used by business.
Read more about the new feature for businesses on TechRepublic.
A newly discovered vulnerability in Microsoft’s Active Directory Federation Services (ADFS) lets threat actors bypass multifactor authentication (MFA) as long as they have the username and password for another person on the same ADFS service. Microsoft patched the flaw today.
This means the second factor for one account could be used for all other accounts in an organization. “If you can have one MFA factor for any user, you can have it for all users,” says Matias Brutti, director of research at Okta REX.
Read more about the newly discovered vulnerability in Microsoft ADFS , a service that many businesses use as a gatekeeper to manage identities and resources, on DarkReading.
Multifactor authentication (MFA) is a method of boosting IT security that requires end users to provide multiple methods of identification to confirm their identity for gaining access to corporate resources and applications, as well as perform online transactions.
By requiring an additional factor beyond a simple password (such as software on a smartphone, a fingerprint, a voiceprint, a key fob or a security code), MFA technology makes it far more difficult for hackers to exploit the login process and wreak havoc by stealing corporate, customer or partner data — even when a password has been compromised or shared among a number of different services by an end user.
Read more about the top multifactor authentication (MFA) products for your enterprise on Tech Target.