<?xml version="1.0" encoding="UTF-8"?><rss version="2.0"
	xmlns:content="http://purl.org/rss/1.0/modules/content/"
	xmlns:wfw="http://wellformedweb.org/CommentAPI/"
	xmlns:dc="http://purl.org/dc/elements/1.1/"
	xmlns:atom="http://www.w3.org/2005/Atom"
	xmlns:sy="http://purl.org/rss/1.0/modules/syndication/"
	xmlns:slash="http://purl.org/rss/1.0/modules/slash/"
	>

<channel>
	<title>two-factor authentication &#8211; Noise</title>
	<atom:link href="https://noise.getoto.net/tag/two-factor-authentication/feed/" rel="self" type="application/rss+xml" />
	<link>https://noise.getoto.net</link>
	<description>The collective thoughts of the interwebz</description>
	<lastBuildDate>Thu, 31 Oct 2024 15:43:16 +0000</lastBuildDate>
	<language>en-US</language>
	<sy:updatePeriod>
	hourly	</sy:updatePeriod>
	<sy:updateFrequency>
	1	</sy:updateFrequency>
	<generator>https://wordpress.org/?v=6.8.2</generator>
	<item>
		<title>Roger Grimes on Prioritizing Cybersecurity Advice</title>
		<link>https://noise.getoto.net/2024/10/31/roger-grimes-on-prioritizing-cybersecurity-advice/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 31 Oct 2024 15:43:16 +0000</pubDate>
				<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[patching]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=69545</guid>

					<description><![CDATA[<p>This is a <a href="https://www.linkedin.com/pulse/every-cybersecurity-list-should-risk-ranked-roger-grimes-ippze">good point</a>:</p>
<blockquote><p>Part of the problem is that we are constantly handed lists…list of required controls…list of things we are being asked to fix or improve…lists of new projects…lists of threats, and so on, that are not ranked for risks. For example, we are often given a cybersecurity guideline (e.g., PCI-DSS, HIPAA, SOX, NIST, etc.) with hundreds of recommendations. They are all great recommendations, which if followed, will reduce risk in your environment.</p>
<p>What they do not tell you is which of the recommended things will have the most impact on best reducing risk in your environment. They do not tell you that one, two or three of these things…among the hundreds that have been given to you, will reduce more risk than all the others...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Failures in Twitter’s Two-Factor Authentication System</title>
		<link>https://noise.getoto.net/2022/11/17/failures-in-twitters-two-factor-authentication-system/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 17 Nov 2022 10:53:50 +0000</pubDate>
				<category><![CDATA[authentication]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[passwords]]></category>
		<category><![CDATA[sms]]></category>
		<category><![CDATA[twitter]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<category><![CDATA[vulnerabilities]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=66166</guid>

					<description><![CDATA[<p>Twitter is having <a href="https://www.wired.com/story/twitter-two-factor-sms-problems/">intermittent problems</a> with its two-factor authentication system:</p>
<blockquote><p>Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. But users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all. The meltdown comes less than two weeks after Twitter <a href="https://www.wired.com/story/musk-layoffs-twitter-management/">laid off about half of its workers...</a></p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Defeating Phishing-Resistant Multifactor Authentication</title>
		<link>https://noise.getoto.net/2022/11/09/defeating-phishing-resistant-multifactor-authentication/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Wed, 09 Nov 2022 12:18:58 +0000</pubDate>
				<category><![CDATA[authentication]]></category>
		<category><![CDATA[Phishing]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=66049</guid>

					<description><![CDATA[CISA is now pushing phishing-resistant multifactor authentication.
Roger Grimes has an excellent post reminding everyone that &#8220;phishing-resistant&#8221; is not &#8220;phishing proof,&#8221; and that everyone needs to stop pretending otherwise. Hi...]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Credit Card Fraud That Bypasses 2FA</title>
		<link>https://noise.getoto.net/2022/09/20/credit-card-fraud-that-bypasses-2fa/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Tue, 20 Sep 2022 11:29:41 +0000</pubDate>
				<category><![CDATA[banking]]></category>
		<category><![CDATA[credit cards]]></category>
		<category><![CDATA[fraud]]></category>
		<category><![CDATA[smartphones]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=65889</guid>

					<description><![CDATA[<p>Someone in the UK is stealing <a href="https://www.bbc.com/news/uk-england-london-62809151">smartphones and credit cards</a> from people who have stored them in gym lockers, and is using the two items in combination to commit fraud:</p>
<blockquote><p>Phones, of course, can be made inaccessible with the use of passwords and face or fingerprint unlocking. And bank cards can be stopped.</p>
<p>But the thief has a method which circumnavigates those basic safety protocols.</p>
<p>Once they have the phone and the card, they register the card on the relevant bank’s app on their own phone or computer. Since it is the first time that card will have been used on the new device, a one-off security passcode is demanded...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Man-in-the-Middle Phishing Attack</title>
		<link>https://noise.getoto.net/2022/08/25/man-in-the-middle-phishing-attack/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 25 Aug 2022 11:45:17 +0000</pubDate>
				<category><![CDATA[authentication]]></category>
		<category><![CDATA[man-in-the-middle attacks]]></category>
		<category><![CDATA[Phishing]]></category>
		<category><![CDATA[scams]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=65804</guid>

					<description><![CDATA[<p>Here’s a <a href="https://arstechnica.com/information-technology/2022/07/microsoft-details-phishing-campaign-that-can-hijack-mfa-protected-accounts/">phishing campaign</a> that uses a man-in-the-middle attack to defeat multi-factor authentication:</p>
<blockquote><p>Microsoft observed a campaign that inserted an attacker-controlled proxy site between the account users and the work server they attempted to log into. When the user entered a password into the proxy site, the proxy site sent it to the real server and then relayed the real server’s response back to the user. Once the authentication was completed, the threat actor stole the session cookie the legitimate site sent, so the user doesn’t need to be reauthenticated at every new page visited. The campaign began with a phishing email with an HTML attachment leading to the proxy server...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Expanded eligibility for the free MFA security key program</title>
		<link>https://noise.getoto.net/2022/08/24/expanded-eligibility-for-the-free-mfa-security-key-program/</link>
		
		<dc:creator><![CDATA[CJ Moses]]></dc:creator>
		<pubDate>Wed, 24 Aug 2022 15:05:01 +0000</pubDate>
				<category><![CDATA[announcements]]></category>
		<category><![CDATA[authentication]]></category>
		<category><![CDATA[AWS Identity]]></category>
		<category><![CDATA[free security keys]]></category>
		<category><![CDATA[MFA security keys]]></category>
		<category><![CDATA[passwords]]></category>
		<category><![CDATA[Security Blog]]></category>
		<category><![CDATA[Security, Identity & Compliance]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<guid isPermaLink="false">http://noise.getoto.net/?guid=43f94ce1ed1897caf7fe1c40447e48b8</guid>

					<description><![CDATA[Since the broad launch of our multi-factor authentication (MFA) security key program, customers have been enthusiastic about the program and how they will use it to improve their organizations’ security posture. Given the level of interest, we’re expanding eligibility for the program to allow more US-based AWS account root users and payer accounts to take […]]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>When Security Locks You Out of Everything</title>
		<link>https://noise.getoto.net/2022/06/28/when-security-locks-you-out-of-everything/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Tue, 28 Jun 2022 11:22:17 +0000</pubDate>
				<category><![CDATA[authentication]]></category>
		<category><![CDATA[cybersecurity]]></category>
		<category><![CDATA[passwords]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=65591</guid>

					<description><![CDATA[<p><a href="https://shkspr.mobi/blog/2022/06/ive-locked-myself-out-of-my-digital-life/">Thought experiment story</a> of someone who lost everything in a house fire, and now can’t log into anything:</p>
<blockquote><p>But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in—you guessed it—my Password Manager.</p>
<p>I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.</p></blockquote>
<p>It’s a one-in-a-million story, and one that’s hard to take into account in system design.</p>
<blockquote><p>This is where we reach the limits of the “Code Is Law” movement...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Bypassing Two-Factor Authentication</title>
		<link>https://noise.getoto.net/2022/04/01/bypassing-two-factor-authentication/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Fri, 01 Apr 2022 11:12:27 +0000</pubDate>
				<category><![CDATA[computer security]]></category>
		<category><![CDATA[passwords]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=65282</guid>

					<description><![CDATA[<p>These techniques are not new, but they’re <a href="https://arstechnica.com/information-technology/2022/03/lapsus-and-solar-winds-hackers-both-use-the-same-old-trick-to-bypass-mfa/">increasingly popular</a>:</p>
<blockquote><p>…some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.</p>
<p>[…]</p>
<p>Methods include:</p>
<ul>
<li>Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
...</li></ul></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Problems with Multifactor Authentication</title>
		<link>https://noise.getoto.net/2021/10/21/problems-with-multifactor-authentication/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Thu, 21 Oct 2021 11:25:59 +0000</pubDate>
				<category><![CDATA[authentication]]></category>
		<category><![CDATA[Phishing]]></category>
		<category><![CDATA[ransomware]]></category>
		<category><![CDATA[Social Engineering]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=63799</guid>

					<description><![CDATA[<p>Roger Grimes on why multifactor authentication <a href="https://www.linkedin.com/pulse/why-majority-our-mfa-so-phishable-roger-grimes">isn’t a panacea</a>:</p>
<blockquote><p>The first time I heard of this issue was from a Midwest CEO. His organization had been hit by ransomware to the tune of $10M. Operationally, they were still recovering nearly a year later. And, embarrassingly, it was his most trusted VP who let the attackers in. It turns out that the VP had approved over 10 different push-based messages for logins that he was not involved in. When the VP was asked why he approved logins for logins he was not actually doing, his response was, “They (IT) told me that I needed to click on Approve when the message appeared!”...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>Cloning Google Titan 2FA keys</title>
		<link>https://noise.getoto.net/2021/01/12/cloning-google-titan-2fa-keys/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Tue, 12 Jan 2021 12:16:55 +0000</pubDate>
				<category><![CDATA[cloning]]></category>
		<category><![CDATA[Cryptography]]></category>
		<category><![CDATA[google]]></category>
		<category><![CDATA[hardware]]></category>
		<category><![CDATA[side-channel attacks]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60729</guid>

					<description><![CDATA[<p>This is a <a href="https://arstechnica.com/information-technology/2021/01/hackers-can-clone-google-titan-2fa-keys-using-a-side-channel-in-nxp-chips/">clever</a> side-channel attack:</p>
<blockquote><p>The cloning works by using a hot air gun and a scalpel to remove the plastic key casing and expose the NXP <a href="https://media.digikey.com/pdf/Data%20Sheets/NXP%20PDFs/A700x_Rev3.1.pdf">A700X chip</a>, which acts as a secure element that stores the cryptographic secrets. Next, an attacker connects the chip to hardware and software that take measurements as the key is being used to authenticate on an existing account. Once the measurement-taking is finished, the attacker seals the chip in a new casing and returns it to the victim.</p>
<p>Extracting and later resealing the chip takes about four hours. It takes another six hours to take measurements for each account the attacker wants to hack. In other words, the process would take 10 hours to clone the key for a single account, 16 hours to clone a key for two accounts, and 22 hours for three accounts...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
		<item>
		<title>How the SolarWinds Hackers Bypassed Duo&#8217;s Multi-Factor Authentication</title>
		<link>https://noise.getoto.net/2020/12/15/how-the-solarwinds-hackers-bypassed-duos-multi-factor-authentication/</link>
		
		<dc:creator><![CDATA[Bruce Schneier]]></dc:creator>
		<pubDate>Tue, 15 Dec 2020 20:13:01 +0000</pubDate>
				<category><![CDATA[authentication]]></category>
		<category><![CDATA[breaches]]></category>
		<category><![CDATA[Network security]]></category>
		<category><![CDATA[two-factor authentication]]></category>
		<category><![CDATA[Uncategorized]]></category>
		<guid isPermaLink="false">https://www.schneier.com/?p=60605</guid>

					<description><![CDATA[<p>This is <a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/">interesting</a>:</p>
<blockquote><p>Toward the end of the second incident that Volexity worked involving Dark Halo, the actor was observed accessing the e-mail account of a user via OWA. This was unexpected for a few reasons, not least of which was the targeted mailbox was protected by MFA. Logs from the Exchange server showed that the attacker provided username and password authentication like normal but were not challenged for a second factor through Duo. The logs from the Duo authentication server further showed that no attempts had been made to log into the account in question. Volexity was able to confirm that session hijacking was not involved and, through a memory dump of the OWA server, could also confirm that the attacker had presented cookie tied to a Duo MFA session named ...</p></blockquote>]]></description>
		
		
		<enclosure url="" length="0" type="" />

			</item>
	</channel>
</rss>

<!--
Performance optimized by W3 Total Cache. Learn more: https://www.boldgrid.com/w3-total-cache/

Object Caching 38/203 objects using Memcached
Page Caching using Disk: Enhanced 
Lazy Loading (feed)
Database Caching using Memcached

Served from: noise.getoto.net @ 2025-12-10 15:15:55 by W3 Total Cache
-->