Erik van Straten<p>"Franse overheid voert phishingtest uit op 2,5 miljoen leerlingen"<br><a href="https://www.security.nl/posting/881630/Franse+overheid+voert+phishingtest+uit+op+2%2C5+miljoen+leerlingen" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">security.nl/posting/881630/Fra</span><span class="invisible">nse+overheid+voert+phishingtest+uit+op+2%2C5+miljoen+leerlingen</span></a></p><p>KRANKZINNIG!</p><p>Het is meestal onmogelijk om nepberichten (e-mail, SMS, ChatApp, social media en papieren post - zie plaatje) betrouwbaar van echte te kunnen onderscheiden.</p><p>Tegen phishing en vooral nepwebsites is echter prima iets te doen, zoals ik vandaag nogmaals beschreef in <a href="https://security.nl/posting/881655" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/881655</span><span class="invisible"></span></a>.</p><p>(Big Tech en luie websitebeheerders willen dat niet, dus is en blijft het een enorm gevecht).</p><p><a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/NepWebsites" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NepWebsites</span></a> <a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/Certificaten" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificaten</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Evilginx2</span></a> <a href="https://infosec.exchange/tags/Zwakke2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Zwakke2FA</span></a> <a href="https://infosec.exchange/tags/ZwakkeMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ZwakkeMFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/Authenticatie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticatie</span></a> <a href="https://infosec.exchange/tags/Impersonatie" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonatie</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/DomainNames" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DomainNames</span></a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticity</span></a> <a href="https://infosec.exchange/tags/Aurhenticiteit" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Aurhenticiteit</span></a> <a href="https://infosec.exchange/tags/Owner" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Owner</span></a> <a href="https://infosec.exchange/tags/Eigenaar" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Eigenaar</span></a> <a href="https://infosec.exchange/tags/Verantwoordelijke" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Verantwoordelijke</span></a> <a href="https://infosec.exchange/tags/Responsible" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Responsible</span></a> <a href="https://infosec.exchange/tags/Accountable" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Accountable</span></a> <a href="https://infosec.exchange/tags/DigiD" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DigiD</span></a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a> <a href="https://infosec.exchange/tags/Email" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Email</span></a> <a href="https://infosec.exchange/tags/ChatApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ChatApps</span></a> <a href="https://infosec.exchange/tags/Verzender" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Verzender</span></a> <a href="https://infosec.exchange/tags/Sender" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Sender</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a></p>
mastodon.online is one of the many independent Mastodon servers you can use to participate in the fediverse.
A newer server operated by the Mastodon gGmbH non-profit
Administered by:
Server stats:
10Kactive users
mastodon.online: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.4.0-nightly.2025-04-15
#weak2fa
0 posts · 0 participants · 0 posts today
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.social/@BjornW" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BjornW</span></a></span> :</p><p>I've stopped doing that after a lot of people called me an idiot and a liar if I kindly notified them. I stopped, I'll get scolded anyway.</p><p>Big tech and most admins want everyone to believe that "Let's Encrypt" is the only goal. Nearly 100% of tech people believe that.</p><p>And admins WANT to believe that, because reliable authentication of website owners is a PITA. They just love ACME and tell their website visitors to GFY.</p><p>People like you tooting nonsense get a lot of boosts. It's called fake news or big tech propaganda. If you know better, why don't you WRITE BETTER?</p><p>It has ruined the internet. Not for phun but purely for profit. And it is what ruins people's lives and lets employees open the vdoor for ransomware and data-theft.</p><p>See also <a href="https://infosec.exchange/@ErikvanStraten/112914047006977222" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/112914047006977222</span></a> (and, in Dutch, <a href="https://security.nl/posting/881296" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/881296</span><span class="invisible"></span></a>).</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@troyhunt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>troyhunt</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@letsencrypt" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>letsencrypt</span></a></span> </p><p><a href="https://infosec.exchange/tags/DV" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DV</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a> <a href="https://infosec.exchange/tags/AnonymousCertificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AnonymousCertificates</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/LetsAuthenticate" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LetsAuthenticate</span></a> <a href="https://infosec.exchange/tags/BigTechIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>BigTechIsEvil</span></a> <a href="https://infosec.exchange/tags/GoogleIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>GoogleIsEvil</span></a> <a href="https://infosec.exchange/tags/CloudflareIsEvil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CloudflareIsEvil</span></a> <a href="https://infosec.exchange/tags/LetsEncrypt" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>LetsEncrypt</span></a> <a href="https://infosec.exchange/tags/Identity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Identity</span></a> <a href="https://infosec.exchange/tags/Authenticity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authenticity</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/Spoofing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Spoofing</span></a> <a href="https://infosec.exchange/tags/CyberCrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CyberCrime</span></a> <a href="https://infosec.exchange/tags/InfoSec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>InfoSec</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/DVcerts" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>DVcerts</span></a> <a href="https://infosec.exchange/tags/Certificates" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Certificates</span></a> <a href="https://infosec.exchange/tags/ACME" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>ACME</span></a> <a href="https://infosec.exchange/tags/USdependencies" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USdependencies</span></a> <a href="https://infosec.exchange/tags/USdependency" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USdependency</span></a> <a href="https://infosec.exchange/tags/USdependent" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USdependent</span></a> <a href="https://infosec.exchange/tags/USAdependencies" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USAdependencies</span></a> <a href="https://infosec.exchange/tags/USAdependency" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USAdependency</span></a> <a href="https://infosec.exchange/tags/USAdependent" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>USAdependent</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://mastodon.laurenweinstein.org/@lauren" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>lauren</span></a></span> : in 2020 I wrote a "Secure SMS 2FA Proposal" (<a href="https://security.nl/posting/638976" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="">security.nl/posting/638976</span><span class="invisible"></span></a>) - there's English and Dutch text.</p><p>The main idea is for the recipient to modify the received code using a shared secret, before entering it as the second factor.</p><p>Of course weak 2FA (without E2EE channel binding) is not phishing proof, but my proposal should prevent successful SIM-swap attacks (and redirecting calls and messages by manipulating the telco backbone as shown in <a href="https://www.youtube.com/watch?v=wVyu7NB7W6Y" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="">youtube.com/watch?v=wVyu7NB7W6Y</span><span class="invisible"></span></a>).</p><p>I cannot change anything in those postings anymore (and I'm in no way related to security.nl apart from being a regular -unpaid- contributor).</p><p>Feel free to pass this idea to your contacts at Google as an alternative to QR-codes - from which I fail to understand how they'd improve security. In fact, the unprotected channel from screen with QR-code to the camera recording it, allows for all kinds of (AitM) phishing attacks.</p><p><span class="h-card" translate="no"><a href="https://sfba.social/@not2b" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>not2b</span></a></span> </p><p><a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/NotPhishingResistant" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NotPhishingResistant</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@patrickcmiller" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>patrickcmiller</span></a></span> : oops, from <a href="https://www.csoonline.com/article/3810936/us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes.html" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">csoonline.com/article/3810936/</span><span class="invisible">us-takes-aim-at-healthcare-cybersecurity-with-proposed-hipaa-changes.html</span></a>:</p><p>"the rollout of multi-factor authentication as a defense against phishing"</p><p>What part of <a href="https://infosec.exchange/tags/Evil" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Evil</span></a> <a href="https://infosec.exchange/tags/Proxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Proxy</span></a> do these people not understand?</p><p><a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EvilProxy</span></a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhaaS</span></a> <a href="https://infosec.exchange/tags/EvilGinx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EvilGinx2</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/TwoStepVerification" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TwoStepVerification</span></a> <a href="https://infosec.exchange/tags/FakeWebsite" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>FakeWebsite</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@_r_netsec" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>_r_netsec</span></a></span> : Alex Weinert (Identity Security VP at Microsoft) already knew about this in 2019.</p><p>His recommendation: just keep using Microsoft Authenticator...</p><p><a href="https://infosec.exchange/tags/MicrosoftAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MicrosoftAuthenticator</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Evilginx2</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NumberMatching</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/AuthenticatorApps" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AuthenticatorApps</span></a> <a href="https://infosec.exchange/tags/MissingDomainNameCheck" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MissingDomainNameCheck</span></a> <a href="https://infosec.exchange/tags/WeakAuthentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakAuthentication</span></a> <a href="https://infosec.exchange/tags/Authentication" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Authentication</span></a> <a href="https://infosec.exchange/tags/Impersonation" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Impersonation</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@adamshostack" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>adamshostack</span></a></span> : not taking into account that I strongly advise against using weak MFA (because it it not phishing-resistant and comes with a lot of disadvantages "security experts" want nobody to know about):</p><p>yes.</p><p>See <a href="https://www.oasis.security/resources/blog/oasis-security-research-team-discovers-microsoft-azure-mfa-bypass" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">oasis.security/resources/blog/</span><span class="invisible">oasis-security-research-team-discovers-microsoft-azure-mfa-bypass</span></a> (yesterday).<br>Source: <a href="https://infosec.exchange/@AAKL/113634744971043868" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@AAKL/1136347</span><span class="invisible">44971043868</span></a></p><p>In short (if I understand correctly) Microsoft's servers would accept codes in a time window for upto 3 minutes. This enabled the researchers to conduct a brute force attack.</p><p><a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a> <a href="https://infosec.exchange/tags/Voice" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Voice</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EvilProxy</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Evilginx2</span></a></p>
Erik van Straten<p>From <a href="https://redmondmag.com/Articles/2024/10/22/Microsoft-Tweaks-Authenticator.aspx" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">redmondmag.com/Articles/2024/1</span><span class="invisible">0/22/Microsoft-Tweaks-Authenticator.aspx</span></a>:<br>❞<br>Compliance with the FIPS 140 means organizations that use Authenticator meet the requirements of the Biden administration's Executive Order 14028, which requires government agencies to use phishing-resistant authentications.<br>❝</p><p>That is total nonsense. FIPS 140 is about cryptography, which -definitely in this case- has nothing to do with phishing resistance.</p><p>In fact, the original article (<a href="https://techcommunity.microsoft.com/t5/microsoft-entra-blog/the-latest-enhancements-in-microsoft-authenticator/ba-p/4078807" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">techcommunity.microsoft.com/t5</span><span class="invisible">/microsoft-entra-blog/the-latest-enhancements-in-microsoft-authenticator/ba-p/4078807</span></a>) does not make that mix-up.</p><p>Unless software checks whether https is used and the domain name shown in de browser's address bar is correct, MFA is *not* phishing resistant.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@rogeragrimes" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>rogeragrimes</span></a></span> </p><p><a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/NumberMatching" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>NumberMatching</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/OTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>OTP</span></a> <a href="https://infosec.exchange/tags/MicrosoftAuthenticator" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MicrosoftAuthenticator</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@BradRubenstein" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>BradRubenstein</span></a></span> : that tradeoff probably differs a lot if a user is not aware of the existence of IDNs (International Domain Names using Unicode), doesn't know how to interpret domain names, or doesn't look at them at all.</p><p>Unfortunately Kevin Beaumont apparently blocked me after I wrote this about using a password manager that checks the domain name: <a href="https://infosec.exchange/@ErikvanStraten/113367545890024617" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113367545890024617</span></a></p><p>Of course password managers and/or Autofill could be improved if they'd at least warn if a connection is not using https and/or if the current domain name does not exist in the password database.</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@Lee_Holmes" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>Lee_Holmes</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@adamshostack" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>adamshostack</span></a></span> <span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> </p><p><a href="https://infosec.exchange/tags/CheckDomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CheckDomainName</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://cyberplace.social/@GossiTheDog" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>GossiTheDog</span></a></span> : see the image below: no weak MFA and a lot more secure - provided that you follow up my advice in <a href="https://infosec.exchange/@ErikvanStraten/113277630925350550" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">infosec.exchange/@ErikvanStrat</span><span class="invisible">en/113277630925350550</span></a>.</p><p>Note: TOTP apps *are* a kind of a stupid password manager - one that does *not* check the domain name (as shown in the address bar of the browser). Such an app uses a local database with a unique shared secret per account. Many users have lost access to their accounts because they were unaware of the fact that no backups were made of the database on their devices (e.g. open <a href="https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">play.google.com/store/apps/det</span><span class="invisible">ails?id=com.google.android.apps.authenticator2</span></a>, open "Ratings and reviews", select "1 star" and optionaly sort on "Newest" to see comments *after* Google enabled automated backups).</p><p>The above risk is apart from the fact that many TOTP implementations are a privacy nightmare and have extremely insecure implementations *IF* backups are being made.</p><p>From <a href="https://www.usenix.org/conference/usenixsecurity23/presentation/gilsenan" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">usenix.org/conference/usenixse</span><span class="invisible">curity23/presentation/gilsenan</span></a>:<br>❞<br>Security and Privacy Failures in Popular 2FA Apps<br>Authors: Conor Gilsenan, UC Berkeley / ICSI; Fuzail Shakir and Noura Alomar, UC Berkeley; Serge Egelman, UC Berkeley / ICSI<br>❝</p><p>Please stop yelling "Just use MFA" without telling about the additional risks of doing that. Or do you want people to use text message-based 2FA?</p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@conorgil" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>conorgil</span></a></span> </p><p><a href="https://infosec.exchange/tags/CheckDomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CheckDomainName</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a></p>
Erik van Straten<p>Even more secure, use a password manager (*) that recognizes the domain name of the current website, and proposes credentials associated with that domain name (see the screenshot below for Android).</p><p>(*) On Android, iOS and iPadOS helped by the "Autofill" OS functionality.</p><p>In addition:</p><p>• Check by yourself that the connection uses https before you log in.</p><p>• If your password manager does *not* propose credentials for a website that *looks* like the one you have an account on: it probably is a phishing website. Do *not* search the password manager's database, and in any case: do *not* log in (here's why: <a href="https://www.bleepingcomputer.com/news/security/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://www.</span><span class="ellipsis">bleepingcomputer.com/news/secu</span><span class="invisible">rity/new-mamba-2fa-bypass-service-targets-microsoft-365-accounts/</span></a>).</p><p>• Make backups (preferably offline too) of the password manager's database (regularly and/or after each modification).</p><p>• As Ian said, let the password manager generate a long random password for each account.</p><p>Note to <span class="h-card" translate="no"><a href="https://eupolicy.social/@1br0wn" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>1br0wn</span></a></span> <span class="h-card" translate="no"><a href="https://infosec.exchange/@RGB_Lights" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>RGB_Lights</span></a></span> : MFA using SMS is too vulnerable for various attacks, and an authenticator app effectively *is* a password manager - but typically incapable of checking domain names, and possibly with a broken or insecure backup strategy.</p><p><a href="https://infosec.exchange/tags/Passwords" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Passwords</span></a> <a href="https://infosec.exchange/tags/PasswordManager" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PasswordManager</span></a> <a href="https://infosec.exchange/tags/Phishing" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Phishing</span></a> <a href="https://infosec.exchange/tags/CheckDomainName" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>CheckDomainName</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@macleod" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>macleod</span></a></span> wrote: "First login code, second login code."</p><p>Entered on the same fake website means game over.</p><p>It may make that more obvious.</p><p><a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a></p>
Erik van Straten<p><span class="h-card" translate="no"><a href="https://xn--8r9a.com/@north" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>north</span></a></span> : SMS *is* 2FA, albeit weak.</p><p>The problem with "something you know, are, or have" is that users are never told that it is essential that each factor used cannot be easily copied, stolen, guessed etc. or temporarily fall into the wrong hands (literally in this case).</p><p>Another problem is that if you loose a factor, you may no longer have access to your account.</p><p>So each factor must be strong, carefully kept secret and needs to be backupped. These are extreme requirements that nobody wants (you) to understand.</p><p>P.S. both iPhones and Android phones can be configured to *not* show SMS texts (and most other possibly confidential information) on their screen when locked.</p><p>P.P.S. Unlocked phones are vulnerable to Time Traveler TOTP attacks. An attacker with temporary access to an unlocked phone may change the system date/time to the future, read a TOTP code for a website, and restore correct system time. When the future arrives they can use your TOTP code at their leisure on their own device to log in to your account, and reuse it (within 30 sec.) if required to pwn your account.</p><p>P.P.P.S. Weak 2FA/MFA does not prevent AitM (Attacker in the Middle) phishing attacks if the AitM uses Evilginx2 or some other "evil proxy" website.</p><p>2019 "MFA had failed" (by Alex Weinert, Director of Identity Security at Microsoft) <a href="https://techcommunity.microsoft.com/t5/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124" rel="nofollow noopener" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">techcommunity.microsoft.com/t5</span><span class="invisible">/microsoft-entra-azure-ad-blog/all-your-creds-are-belong-to-us/ba-p/855124</span></a></p><p><span class="h-card" translate="no"><a href="https://infosec.exchange/@acut3hack" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>acut3hack</span></a></span> </p><p><a href="https://infosec.exchange/tags/2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>2FA</span></a> <a href="https://infosec.exchange/tags/MFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MFA</span></a> <a href="https://infosec.exchange/tags/SMS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>SMS</span></a> <a href="https://infosec.exchange/tags/TOTP" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TOTP</span></a> <a href="https://infosec.exchange/tags/WeakMFA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>WeakMFA</span></a> <a href="https://infosec.exchange/tags/Weak2FA" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Weak2FA</span></a> <a href="https://infosec.exchange/tags/AitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>AitM</span></a> <a href="https://infosec.exchange/tags/MitM" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>MitM</span></a> <a href="https://infosec.exchange/tags/EvilProxy" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>EvilProxy</span></a> <a href="https://infosec.exchange/tags/Evilginx2" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>Evilginx2</span></a> <a href="https://infosec.exchange/tags/TimeTravelerAttacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TimeTravelerAttacks</span></a> <a href="https://infosec.exchange/tags/TimeTravelAttacks" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>TimeTravelAttacks</span></a> <a href="https://infosec.exchange/tags/PhaaS" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>PhaaS</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
LoginDrag & drop to upload