Authentication and Blog - Cyber Security Informer

On Risk-Based Authentication

Schneier on Security

OCTOBER 5, 2020

A Study on Usability and Security Perceptions of Risk-based Authentication “: Abstract : Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. I’ve blogged about risk-based authentication before. Paper’s website.

Authentication

Authentication Risk Passwords

NCSC Guidance on “Advanced Cryptography”

Schneier on Security

MAY 2, 2025

These techniques enable novel applications with different trust relationships between the parties, as compared to traditional cryptographic methods for encryption and authentication. NCSC blog entry. The conclusion: Advanced Cryptography covers a range of techniques for protecting sensitive data at rest, in transit and in use.

Encryption

Encryption Cyber Attacks Authentication Risk

GUEST ESSAY: How the FIDO Alliance helps drive the move to passwordless authentication

The Last Watchdog

DECEMBER 6, 2021

This traditional authentication method is challenging to get rid of, mostly because it’s so common. And for businesses, transitioning to new authentication solutions can be expensive and time-consuming. It supports standards that make implementing newer, stronger authentication methods possible for businesses.

Authentication

Authentication Passwords Mobile Phishing

GUEST ESSAY: The case for shifting to ‘personal authentication’ as the future of identity

The Last Watchdog

FEBRUARY 3, 2022

I currently have over 450 accounts that use passwords combined with a variety of two-factor authentication methods. Related: How the Fido Alliance enables password-less authentication. Only a dozen or so of my accounts get authenticated via self-hosted services. Sharing protocols.

Authentication

Authentication Passwords Accountability Technology

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

The Last Watchdog

JULY 24, 2023

The next big thing is passwordless authentication. First and foremost, most solutions rely on connected devices like mobile phones to authenticate users. Attackers will continue to find ways to breach our systems, and authentication cryptography will become increasingly vulnerable to attack. Some solutions do this today.

Authentication

Authentication Passwords Phishing Social Engineering

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

The Last Watchdog

DECEMBER 6, 2022

Much more effective authentication is needed to help protect our digital environment – and make user sessions smoother and much more secure. Underscoring this trend, Uber was recently hacked — through its authentication system. The best possible answer is coming from biometrics-based passwordless, continuous authentication.

Authentication

Authentication Healthcare Artificial Intelligence Passwords

Mail relays – Part 1 | Authenticate your outgoing mail!

Security Boulevard

MAY 14, 2025

Email authentication used to be something only big players worried about. In this blog, we explore how authentication can be implemented at the relay level to improve deliverability, prevent abuse, and get ahead. The post Mail relays – Part 1 | Authenticate your outgoing mail! Not anymore.

Authentication

Authentication Security Awareness

Crooks bank on Microsoft’s search engine to phish customers

Malwarebytes

NOVEMBER 4, 2024

In this blog post, we take a look at how criminals are abusing Bing and stay under the radar at the same time while also bypassing advanced security features such as two-factor authentication. The idea is about creating content that looks real, like a blog, but with malicious intent (monetization or other).

Engineering

Engineering Phishing Banking Authentication

Threat actor impersonates Google via fake ad for Authenticator

Malwarebytes

JULY 30, 2024

If you were trying to download the popular Google Authenticator (a multi-factor authentication program) via a Google search in the past few days, you may have inadvertently installed malware on your computer. Fake site leads to signed payload hosted on Github The fraudulent site chromeweb-authenticators[.]com

Authentication

Authentication Computers and Electronics Social Engineering Malware

A Day in the Life of a Prolific Voice Phishing Crew

Krebs on Security

JANUARY 7, 2025

Lookout researchers discovered multiple voice phishing groups were using a new phishing kit that closely mimicked the single sign-on pages for Okta and other authentication providers. The image that Lookout used in its blog post for Crypto Chameleon can be seen in the lower right hooded figure. “ Annie.”

Phishing

Phishing Cryptocurrency Accountability Social Engineering

Gus Simmons’s Memoir

Schneier on Security

MARCH 25, 2022

I know him best for his work on authentication and covert channels, specifically as related to nuclear treaty verification. More blog posts. His work is cited extensively in Applied Cryptography. He has written a memoir of growing up dirt-poor in 1930s rural West Virginia.

Authentication

Opening the Black Box of Risk-Based Authentication

Duo's Security Blog

JUNE 25, 2024

Duo’s Risk-Based Authentication (RBA) helps solve this by adapting MFA requirements based on the level of risk an individual login attempt poses to an organization. Risky authentications are stepped-up, and users are required to authenticate with a more secure factor. Will users get blocked?

Authentication

Authentication Risk Artificial Intelligence Engineering

Closing the Loop: Continuous API Security Testing – FireTail Blog

Security Boulevard

MAY 15, 2025

And it may be important to run these tests either as a completely external user, modeling an anonymous threat actor, or as a valid authenticated user. The post Closing the Loop: Continuous API Security Testing – FireTail Blog appeared first on Security Boulevard.

Internet

Internet Internet Data breaches Authentication

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

The Last Watchdog

MARCH 1, 2023

The IT world relies on digital authentication credentials, such as API keys, certificates, and tokens, to securely connect applications, services, and infrastructures. Related: The coming of agile cryptography These secrets work similarly to passwords, allowing systems to interact with one another.

Authentication

Authentication CISO Passwords Software

Change Healthcare Breach Hits 100M Americans

Krebs on Security

OCTOBER 30, 2024

“Affected insurance providers can contact us to prevent leaking of their own data and [remove it] from the sale,” RansomHub’s victim shaming blog announced on April 16. A few days after BlackCat imploded, the same stolen healthcare data was offered for sale by a competing ransomware affiliate group called RansomHub.

Healthcare

Healthcare Insurance Computers and Electronics Data breaches

Making Seamless Authentication a Reality for MSP Customers

Duo's Security Blog

APRIL 3, 2025

While the enforcement of multi-factor authentication (MFA) makes logging in more secure, it inevitably runs the risk of adding steps to a process users already find annoying. While this may avoid authentication fatigue, it certainly risks and may even violate some security standards.

Authentication

Authentication Passwords Risk VPN

Guest Blog: Ox Security on learning from the Recent GitHub Extortion Campaigns

IT Security Guru

JUNE 13, 2024

These attackers appear to be using the stolen GitHub credentials of users who have not enabled two-factor authentication (2FA). Our data shows that between 93-97% of OX Security users have activated two-factor authentication (2FA), which helps keep accounts, data, and secrets private.

Backups

Backups Authentication Data breaches Social Engineering

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

The Last Watchdog

SEPTEMBER 24, 2024

About the essayist: Ambuj Kumar is Co-founder and CEO of Simbian , AI Agents for cybersecurity The post GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator first appeared on The Last Watchdog.

Authentication

Authentication Identity Theft Banking Data breaches

No, I Won't Link to Your Spammy Article

Troy Hunt

APRIL 6, 2020

That email would have been a reply to one you originally sent to me that would have sounded something like this: Hi, I came across your blog on [thing] and I must admit, it was really nicely written. I also have an article on [thing] and I think it would be a great addition to your blog. On a popular blog. Just the title.

Advertising

Advertising Internet Internet VPN

How 1-Time Passcodes Became a Corporate Liability

Krebs on Security

AUGUST 30, 2022

The missives asked users to click a link and log in at a phishing page that mimicked their employer’s Okta authentication page. Those who submitted credentials were then prompted to provide the one-time password needed for multi-factor authentication. Image: Cloudflare.com. ” On July 28 and again on Aug. In an Aug.

Mobile

Mobile Phishing Authentication Accountability

Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication

Duo's Security Blog

OCTOBER 23, 2024

Available now in all paid Duo subscriptions The launch of Duo Mobile in the early 2010s changed how businesses enabled secure authentication. Other means of authentication outside of smartphones — hardware tokens, phone call authentication, SMS, etc. have proven to be either antiquated, expensive or vulnerable.

Authentication

Authentication Mobile Manufacturing Risk

Threat Modeling and Logins

Adam Shostack

JANUARY 2, 2025

Authentication is more frustrating to your customers when you dont threat model. When he did, they sent him a text message to authenticate him, and it says DO NOT share this access code with anyone. Ok, technically theres more lessons, which are in this blog post, but you know what I mean. Happier customers. Less frustration.

Banking

Banking Passwords Password Management Authentication

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

Duo's Security Blog

MAY 2, 2024

We are excited to have partnered closely with Microsoft in the co-development of Microsoft Entra ID External Authentication Methods, available in Public Preview May 2024! External Authentication Methods (EAM) enables frictionless integration of Duo’s full security feature set.

Authentication

Authentication Phishing Passwords Risk

On the Insecurity of ES&S Voting Machines’ Hash Code

Schneier on Security

MARCH 16, 2021

Andrew Appel and Susan Greenhalgh have a blog post on the insecurity of ES&S’s software authentication system: It turns out that ES&S has bugs in their hash-code checker: if the “reference hashcode” is completely missing, then it’ll say “yes, boss, everything is fine” instead of reporting an error.

Authentication

Authentication Software

GUEST ESSAY: How cybercriminals are using ‘infostealers’ to sidestep passwordless authentication

The Last Watchdog

JULY 11, 2024

Related: Passwordless workpace long way off However, as users engage with more applications across multiple devices, the digital security landscape is shifting from passwords and password managers towards including passwordless authentication, such as multi-factor authentication (MFA), biometrics, and, as of late, passkeys.

Authentication

Authentication Passwords Malware Accountability

The Rise of One-Time Password Interception Bots

Krebs on Security

SEPTEMBER 29, 2021

In February, KrebsOnSecurity wrote about a novel cybercrime service that helped attackers intercept the one-time passwords (OTPs) that many websites require as a second authentication factor in addition to passwords. That is true two-factor authentication: Something you have, and something you know (and maybe also even something you are).

Passwords

Passwords Mobile Authentication Banking

Sansec uncovered a supply chain attack via 21 backdoored Magento extensions

Security Affairs

MAY 5, 2025

In older versions (2019), this required no authentication, but newer versions require a secret key. In versions from 2019 this does not require any authentication.” “The evil is in the adminLoadLicense function, which executes $licenseFile as PHP.” ” continues the report. ” continues the report.

eCommerce

eCommerce Hacking Authentication Software

PTZOptics cameras zero-days actively exploited in the wild

Security Affairs

NOVEMBER 2, 2024

is an inadequate authentication mechanisms that could allow an attacker to access sensitive information like usernames, MD5 password hashes, and configuration data. “Read the GreyNoise Labs blog for technical analysis and deeper insight into how Sift helped discover these zero-day vulnerabilities.”

Firmware

Firmware Manufacturing IoT Healthcare

On world password day, Microsoft says fewer passwords, more passkeys

Malwarebytes

MAY 2, 2025

The alternative: passkeys Passkeys are an alternative, more modern authentication method designed to replace passwords with a safer, simpler alternative. This blog post will try to explain what passkeys are, how to use them, and why they are better than passwords, helping you embrace this next step in online security. And its faster.

Passwords

Passwords Password Management Authentication Accountability

More SolarWinds News

Schneier on Security

FEBRUARY 3, 2021

Details are in the Microsoft blog: We have published our in-depth analysis of the Solorigate backdoor malware (also referred to as SUNBURST by FireEye), the compromised DLL that was deployed on networks as part of SolarWinds products, that allowed attackers to gain backdoor access to affected devices.

Computers and Electronics

Computers and Electronics Malware Software Government

Employee monitoring app exposes users, leaks 21+ million screenshots

Malwarebytes

APRIL 28, 2025

Ive lost count of how many blogs Ive written about stalkerware -type apps that not only exposed the people they spied on but also ended up exposing the spies themselves. Enable two-factor authentication (2FA). Some forms of two-factor authentication (2FA) can be phished just as easily as a password.

Passwords

Passwords Phishing Spyware Password Management

Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Anton on Security

OCTOBER 12, 2022

This is my completely informal, uncertified, unreviewed and otherwise completely unofficial blog inspired by my reading of our fourth Threat Horizons Report ( full version ) that we just released ( the official blog for #1 report , my unofficial blog for #2 , my unofficial blog for #3 ).

Cybersecurity

Cybersecurity Malware Accountability Passwords

Can We Stop Pretending SMS Is Secure Now?

Krebs on Security

MARCH 16, 2021

An expert on SIM-swapping attacks who’s been quoted quite a bit on this blog , Nixon said she also had Lucky225 test his interception tricks on her mobile phone, only to watch her incoming SMS messages show up on his burner phone. Usually, this is a mobile app like Authy or Google Authenticator that generates a one-time code.

Telecommunications

Telecommunications Mobile Accountability Wireless

Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

Security Boulevard

MARCH 31, 2025

Despite advancements in API security, access control vulnerabilities, such as broken object-level authentication (BOLA) and broken function-level authentication (BFLA), remain almost impossible to detect.

Risk

Risk Authentication

Understanding MFA Fatigue: Why Cybercriminals Are Exploiting Human Behaviour

IT Security Guru

FEBRUARY 25, 2025

A prime example is multi-factor authentication (MFA), a security process that requires users to verify their identity in two or more ways, such as a password, a code sent to their phone, or a fingerprint. Advanced authentication systems can analyse contextual factors, like location, device, and login behaviour, to detect anomalies.

Social Engineering

Social Engineering Authentication Risk Accountability

GUEST ESSAY: Ponemon study warns: AI-enhanced deepfake attacks taking aim at senior execs

The Last Watchdog

APRIL 22, 2025

Typically, the attacker collects authentic media samples of their target, including still images, videos, and audio clips, to train the deep learning model. The more training data used, the more authentic the deepfake appears.

Authentication

Authentication Social Engineering Technology Media

XE Group shifts from credit card skimming to exploiting zero-days

Security Affairs

FEBRUARY 10, 2025

CVE-2024-57968 allows remote authenticated users to upload files to unintended folders, while CVE-2025-25181 is an SQL injection flaw enabling remote SQL execution (no patch available). The group was also observed exploiting vulnerabilities in Telerik UI such as CVE-2017-9248 and CVE-2019-18935. .

Manufacturing

Manufacturing Cybercrime Passwords Authentication

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Krebs on Security

FEBRUARY 8, 2021

Perhaps the biggest selling point for U-Admin is a module that helps phishers intercept multi-factor authentication codes. Qbot) — to harvest one-time codes needed for multi-factor authentication. 2020 blog post on an ongoing Qakbot campaign that was first documented three months earlier by Check Point Research.

Phishing

Phishing Scams Banking Mobile

Microsoft Announces Security Update with Windows Resiliency Initiative

eSecurity Planet

DECEMBER 4, 2024

David Weston, VP of enterprise and OS security, said in a blog post , “We are committed to ensuring that Windows remains the most reliable and resilient open platform for our customers.” This includes strengthening password policies, implementing multi-factor authentication, and leveraging advanced threat detection techniques.

Encryption

Encryption Phishing Passwords Authentication

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Krebs on Security

NOVEMBER 21, 2020

. “A domain hosting provider ‘GoDaddy’ that manages one of our core domain names incorrectly transferred control of the account and domain to a malicious actor,” Liquid CEO Kayamori said in a blog post. authenticate the phone call before sensitive information can be discussed.

Cryptocurrency

Cryptocurrency VPN Scams Social Engineering

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Krebs on Security

SEPTEMBER 2, 2021

Bill said this criminal group averages between five and ten million email authentication attempts daily, and comes away with anywhere from 50,000 to 100,000 of working inbox credentials. “For context, our research indicates that multi-factor authentication prevents more than 99.9%

Accountability

Accountability Authentication Passwords Hacking

Hackers Stole Access Tokens from Okta’s Support Unit

Krebs on Security

OCTOBER 20, 2023

Okta , a company that provides identity tools like multi-factor authentication and single sign-on to thousands of businesses, has suffered a security breach involving a compromise of its customer support unit, KrebsOnSecurity has learned. ET: BeyondTrust has published a blog post about their findings. Update, 2:57 p.m.

Social Engineering

Social Engineering Engineering Accountability Hacking

Introducing Duo Wear: Seamless MFA From Your Wrist!

Duo's Security Blog

APRIL 24, 2025

Were thrilled to announce Duo Wear , a companion app for Duo Mobile that brings fast and easy multi-factor authentication (MFA) to your Wear OS smartwatch! Its quick, simple, and offers a frictionless authentication experience. What is Duo Wear? Duo Wear is an app designed specifically for Wear OS smartwatches. Why Make a Wear OS App?

Authentication

Authentication Mobile Technology

Humans are Bad at URLs and Fonts Don’t Matter

Troy Hunt

OCTOBER 28, 2020

Everything becomes clear(er) if I manually change the font in the browser dev tools to a serif version: The victim I was referring to in the opening of this blog post? Obviously, the image is resized to the width of paragraphs on this blog, give it a click if you want to check it out at 1:1 size. What's the solution here?

Phishing

Phishing Password Management Passwords Internet

On Risk-Based Authentication

NCSC Guidance on “Advanced Cryptography”

Trending Sources

GUEST ESSAY: How the FIDO Alliance helps drive the move to passwordless authentication

GUEST ESSAY: The case for shifting to ‘personal authentication’ as the future of identity

GUEST ESSAY: Why it’s high time for us to rely primarily on passwordless authentication

GUEST ESSAY: ‘Continuous authentication’ is driving passwordless sessions into the mainstream

Mail relays – Part 1 | Authenticate your outgoing mail!

Crooks bank on Microsoft’s search engine to phish customers

Threat actor impersonates Google via fake ad for Authenticator

A Day in the Life of a Prolific Voice Phishing Crew

Gus Simmons’s Memoir

Opening the Black Box of Risk-Based Authentication

Closing the Loop: Continuous API Security Testing – FireTail Blog

GUEST ESSAY: Why CISOs absolutely must take authentication secrets much more seriously

Change Healthcare Breach Hits 100M Americans

Making Seamless Authentication a Reality for MSP Customers

Guest Blog: Ox Security on learning from the Recent GitHub Extortion Campaigns

GUEST ESSAY: Massive NPD breach tells us its high time to replace SSNs as an authenticator

No, I Won't Link to Your Spammy Article

How 1-Time Passcodes Became a Corporate Liability

Secure Identities on Any Device, Anywhere: Introducing Duo Desktop Authentication

Threat Modeling and Logins

Duo Continues to Enhance Partnership With Microsoft on New Entra ID External Authentication Methods

On the Insecurity of ES&S Voting Machines’ Hash Code

GUEST ESSAY: How cybercriminals are using ‘infostealers’ to sidestep passwordless authentication

The Rise of One-Time Password Interception Bots

Sansec uncovered a supply chain attack via 21 backdoored Magento extensions

PTZOptics cameras zero-days actively exploited in the wild

On world password day, Microsoft says fewer passwords, more passkeys

More SolarWinds News

Employee monitoring app exposes users, leaks 21+ million screenshots

Google Cybersecurity Action Team Threat Horizons Report #4 Is Out!

Can We Stop Pretending SMS Is Secure Now?

Unsolved Challenge: Why API Access Control Vulnerabilities Remain a Major Security Risk

Understanding MFA Fatigue: Why Cybercriminals Are Exploiting Human Behaviour

GUEST ESSAY: Ponemon study warns: AI-enhanced deepfake attacks taking aim at senior execs

XE Group shifts from credit card skimming to exploiting zero-days

Arrest, Raids Tied to ‘U-Admin’ Phishing Kit

Microsoft Announces Security Update with Windows Resiliency Initiative

GoDaddy Employees Used in Attacks on Multiple Cryptocurrency Services

Gift Card Gang Extracts Cash From 100k Inboxes Daily

Hackers Stole Access Tokens from Okta’s Support Unit

Introducing Duo Wear: Seamless MFA From Your Wrist!

Humans are Bad at URLs and Fonts Don’t Matter

Stay Connected