Duo's Security Blog

APRIL 10, 2024

Enrolling users to use multi-factor authentication (MFA) is an essential security step for any organization. But user enrollment can be a logistical challenge and comes with security risks. Enrollment basics Enrollment is the process by which users are added to a Duo account and enabled to use MFA.

Authentication 143

Authentication Accountability Risk Government 143

Malwarebytes

FEBRUARY 20, 2023

From March 19, users of Twitter won’t be able to use SMS-based two-factor authentication (2FA) unless they have a subscription to the paid Twitter Blue service. You can still use the authentication app and security key methods. To avoid losing access to Twitter, remove text message two-factor authentication by Mar 19, 2023.

Authentication 95

Authentication Phishing Mobile Accountability 95

Duo's Security Blog

MAY 21, 2024

Duo’s Self-Service Portal (SSP), which lets users manage their own authentication devices, saves time for both Duo users and admins. Often the first step for an attacker with stolen credentials is to try to fraudulently register an MFA device , giving persistent access to the user’s account. What’s the risk?

Authentication 80

Authentication Accountability Risk Phishing 80

eSecurity Planet

SEPTEMBER 15, 2021

Since then, the company has steadily cast off the need for passwords for various accounts, and by May 2020, 150 million people had stopped using passwords. Now the company is expanding the passwordless push to all Microsoft accounts. Google automatically makes account holders use two-factor authentication.

Accountability 122

Accountability Passwords Authentication Phishing 122

Malwarebytes

AUGUST 4, 2023

In the phishing attacks the group leverages previously compromised Microsoft 365 instances, mostly owned by small businesses, to create new domains that look like technical support accounts. Once the target has done this, the attacker can use the gained access to further compromise the account.

Authentication 93

Authentication Phishing Small Business Accountability 93

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. It is a program that must coordinate people, tools, and processes, and also account for human error. Errors cannot be prevented, but their effects can be.

Authentication 222

Authentication CISO Passwords Software 222

Security Boulevard

JULY 3, 2023

It involves verifying user identities, controlling access to resources and ensuring proper authentication and authorization processes. By focusing on identity security, organizations can mitigate risks associated with unauthorized access, data breaches and insider threats.

Authentication 59

Authentication Accountability Risk Data breaches 59

BH Consulting

AUGUST 31, 2023

When we think about social media, we think about the nice side of it: staying in touch with friends and family, getting updates about our interests – but the more active we are on it, the more risk we’re exposed to. The more exposed we are in the online space, the more potential there is for risk to a business. More than 4.7

Media 52

Media Accountability Authentication Passwords 52

Duo's Security Blog

APRIL 8, 2024

It is a well-known and established point that a password alone is not enough to secure an account. That’s where multi-factor authentication (MFA) comes in. But what if an attacker can just send that authentication request to their own personal phone? This type of attack is known as Account Manipulation: Device Registration.

Authentication 111

Authentication Accountability Risk Phishing 111

eSecurity Planet

OCTOBER 11, 2021

Google is giving out 10,000 free security keys to high-risks users, an announcement that came a day after the company warned 14,000 of its high-profile users that they could be targeted by the notorious Russia-based APT28 hacking group. ‘Cybersecurity Is a Team Sport’ In an Oct. Google APP Available to All Users.

Risk 135

Risk Passwords Authentication Accountability 135

Duo's Security Blog

MAY 30, 2024

If successful, the bad actor register malicious devices on the student’s account for continued access to the student’s account and the university’s VPN. Duo Data Scientist, Becca Lynch, wrote about these attacks in the blog, Identity Threat Trends for Higher Education. That’s phishy.

Education 54

Education Cyber threats Authentication Threat Detection 54

Security Boulevard

MAY 22, 2023

Fortify The Identity Perimeter ‍The explosion of SaaS adoption has led to unprecedented identity sprawl with some employees creating hundreds of SaaS accounts over the time. Most of these accounts are created with just an email and password, and this has now become the new perimeter for the modern enterprise.

Risk 59

Risk Accountability Authentication Passwords 59

Malwarebytes

NOVEMBER 1, 2022

LinkedIn knows it has a problem with bots and fake accounts, and has acknowledged this on more than one occasion. In 2018, LinkedIn rolled out a way to automatically detect fake accounts. Accounts with positive detections will be removed before they can be used to reach out to members. What's new?

Accountability 93

Accountability Cryptocurrency Education Technology 93

eSecurity Planet

SEPTEMBER 30, 2021

Underground services are cropping up that are designed to enable bad actors to intercept one-time passwords (OTPs), which are widely used in two-factor authentication programs whose purpose is to better protect customers’ online accounts. By using the services, cybercriminals can gain access to victims’ accounts to steal money.

Authentication 111

Authentication Social Engineering Phishing Banking 111

Duo's Security Blog

NOVEMBER 20, 2023

One piece of evidence to support this hypothesis is the low adoption of a basic security control that protects against identity-based attacks - multi-factor authentication (MFA). Add to this, the risks of weak authentication factors such as SMS one-time passcodes and dormant or inactive accounts.

Threat Detection 134

Threat Detection Authentication Accountability Data breaches 134

CyberSecurity Insiders

NOVEMBER 18, 2021

This blog was written by an independent guest blogger. He is also looking for opportunities to collect additional access parameters (usernames and passwords), elevate privileges, or use already existing compromised accounts for unauthorized access to systems, applications, and data. Most cyberattacks originate outside the organization.

Accountability 133

Accountability Passwords Authentication Social Engineering 133

SC Magazine

APRIL 27, 2021

Mandiant Tuesday posted a blog detailing a new attack strategy against Microsoft’s Active Directory Federation Services (AD FS). The main lesson organizations drew from the SolarWinds campaign was the need to protect against third-party risk and address supply chain security. Photo by Drew Angerer/Getty Images).

Authentication 105

Authentication Accountability Media Government 105

Duo's Security Blog

FEBRUARY 27, 2024

The choice of which authentication methods to use is individual to every organization, but it must be informed by a clear understanding of how these methods defend against common identity threats. In the first part of this three-part blog series , we discussed the various methods available to MFA users.

Social Engineering 128

Social Engineering Authentication Phishing Engineering 128

Identity IQ

JULY 3, 2023

How to Detect and Respond to Account Misuse IdentityIQ As digital connectivity continues to grow, safeguarding your online accounts from misuse is becoming increasingly crucial. Account misuse can result in alarming repercussions, including privacy breaches, financial losses, and identity theft.

Accountability 52

Accountability Identity Theft Passwords Social Engineering 52

The Last Watchdog

MAY 5, 2022

Let’s walk through some practical steps organizations can take today, implementing zero trust and remote access strategies to help reduce ransomware risks: •Obvious, but difficult – get end users to stop clicking unknown links and visiting random websites that they know little about, an educational challenge. Best practices.

Ransomware 247

Ransomware Risk Internet Internet 247

Duo's Security Blog

JANUARY 18, 2023

Multi-Factor Authentication (MFA) is a security tool used by various organizations to protect user credentials, or the username and password. As a first step, organizations need to modernize their authentication, moving away from RADIUS or LDAP protocols and moving towards SAML. What can organizations do?

Authentication 71

Authentication Phishing Threat Detection Mobile 71

Security Boulevard

MAY 19, 2022

It is impossible to manage security posture without considering two key factors in any potential vulnerability or security flaw: reachability and risk. Risk is a business measurement that assesses the potential for a vulnerability to actually damage an enterprise or organization. In general, without reachability, there is less risk.

Risk 122

Risk Software Accountability Engineering 122

Malwarebytes

MARCH 29, 2023

Researchers from Wiz have discovered a way to allow for search engine manipulation and account takeover. Azure Active Directory is a single sign-on and multi-factor authentication service used by organisations around the world. Bypassing authentication resulted in a functional admin panel for the search engine.

Accountability 96

Accountability Authentication Engineering Government 96

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. Image: Cloudflare.com. 2, and Aug. ” On July 28 and again on Aug.

Mobile 299

Mobile Phishing Authentication Accountability 299

Duo's Security Blog

FEBRUARY 16, 2024

Duo’s latest annual Trusted Access Report , aptly titled "Navigating Complexity," peels back the layers on the ever-evolving world of access management and analyzes real-world data from 16 billion authentications across millions of devices and users. of measured authentications.

Authentication 102

Authentication Accountability Risk Mobile 102

The Last Watchdog

SEPTEMBER 25, 2023

Nonprofits are equally at risk, and often lack cybersecurity measures. Given the risk involved, small businesses and nonprofits must consider prioritizing cybersecurity policies and practices to stay protected, retain customers, and remain successful. The average cost of a cybersecurity breach was $4.45 Adequate IT compliance.

Small Business 222

Small Business Cybersecurity Technology Accountability 222

Duo's Security Blog

MARCH 2, 2022

Multi-factor authentication is one of the best ways to thwart bad actors using stolen credentials — but it’s not foolproof. However, while implementing MFA decreases the risk of account compromise by 99.9% , there will always be bad actors looking to break through even the most robust defenses.

Authentication 70

Authentication Phishing DNS Passwords 70

SC Magazine

MAY 7, 2021

Google announced that it will automatically enroll users in multifactor authentication – what they are calling two-step verification. Google will start automatically enrolling users in 2SV if their accounts are “appropriately configured.” Risher adds that users can check the status of their accounts in Google’s Security Checkup.

Authentication 89

Authentication Passwords Password Management Mobile 89

Heimadal Security

MARCH 9, 2021

Earlier this month GitHub received a report of anomalous behavior from an external party, therefore they fixed the bug trying to protect user accounts against a potentially serious security vulnerability. The post GitHub Fixed a Bug impacting Authenticated Sessions appeared first on Heimdal Security Blog.

Authentication 56

Authentication Accountability Data breaches Risk 56

Security Boulevard

MARCH 17, 2021

In my previous blog, I discussed the important role multi-factor authentication (MFA) plays in further securing access to enterprise and consumer services. We also established the fact that although MFA increases authentication security and decreases the risk of account takeover, MFA can, and is, being bypassed in the wild.

Scams 107

Scams Consumer Services Authentication Accountability 107

Duo's Security Blog

MARCH 6, 2024

In this attack method, a small number of commonly used passwords are tried over many user accounts in succession. Many free and open-source tools, including NLBrute, Crowbar and Hydra, currently exist to allow attackers to automate these efforts over many user accounts at once.

Authentication 137

Authentication Accountability VPN Passwords 137

Security Boulevard

OCTOBER 18, 2022

SaaS use in organizations is growing rapidly , and it is largely ungoverned, meaning that companies are likely failing to comply with their own security, risk and data compliance policies. Security issues related to SaaS are an increasingly troublesome area of risk for organizations, and this is likely to continue.

Risk 52

Risk CISO Architecture Marketing 52

The Last Watchdog

OCTOBER 16, 2019

Related: Cyber risks spinning out of IoT Credential stuffing and account takeovers – which take full advantage of Big Data, high-velocity software, and automation – inundated the internet in massive surges in 2018 and the first half of 2019, according to multiple reports. Hackers count on it.

Big data 164

Big data Accountability Passwords Digital transformation 164

Duo's Security Blog

FEBRUARY 15, 2024

Multi-factor authentication (MFA) is a well-known and well-established protection that many organizations rely on. Several common authentication methods include the use of one-time passcodes (OTP). The attacker then calls the user, and says "This is your helpdesk, I need to confirm your account, can you please confirm your OTP?"

Social Engineering 124

Social Engineering Authentication Passwords Engineering 124

Duo's Security Blog

NOVEMBER 15, 2022

To illustrate the point, we’ll focus on a particular type of event that generates logs: user authentications (aka “logins”). Identifying “different” authentications Searching through auth logs to identify a login that looks suspicious is one thing. To understand that, you need visibility into both normal and anomalous authentications.

Authentication 54

Authentication Data breaches Risk Marketing 54

Duo's Security Blog

JANUARY 29, 2024

The attack methods included a mixture of passcode phishing and push harassment, with the intent to access university VPNs or register a malicious authentication device on one or more user accounts for continued access. The attacker sends a flurry of Push requests to each user, in the hopes that a user will inadvertently grant access.

Education 122

Education Authentication Passwords Phishing 122

Malwarebytes

OCTOBER 9, 2023

On Friday October 6, 2023, 23andMe confirmed via a somewhat opaque blog post that threat actors had "obtained information from certain accounts, including information about users’ DNA Relatives profiles." However, the damage seems to go far beyond the accounts with reused passwords.

Passwords 132

Passwords Accountability Scams Social Engineering 132