Multifactor Authentication (MFA)
Why MFA
- All your creds are belong to us! Analysis of MFA impact on password attacks by Microsoft Threat Intelligence.
- It's Time to Hang Up on Phone Transports for Authentication Microsoft Threat Intelligence advice: use MFA; do not use smartphones for MFA.
- Account takeover prevention rate by challenge type. A slide summarizing the (estimated) effectiveness of various MFA techniques (challenge type) as a function of the attack type (automated bot, bulk phishing, targeted). It can be seen that security keys are "perfect" even for targeted attacks (i.e., the most sophisticated ones).
Notable incidents mostly due to lack of MFA
MFA attacks
Always keep in mind that everything but security keys can be phished (e.g., with specialized proxies like Evilginx).
- The Rise of One-Time Password Interception Bots
- SIM Swap at Krebs on Security
- Real-World SS7 Attack — Hackers Are Stealing Money From Bank Accounts SMS redirection in the phone network (SS7 vulnerability).
- Lapsus$ and SolarWinds hackers both use the same old trick to bypass MFA "MFA bombing".
- 3 Examples of Typical Smishing and Vishing Attacks in 2022
Misuse of phone number: - FTC fines Twitter $150M for using 2FA info for targeted advertising
Passwordless
- Passwordless login with passkeys at Google. Less technical description: So long passwords, thanks for all the phish. User experience: Sign in with a passkey instead of a password.
- Google passkeys are a no-brainer. You’ve turned them on, right?
- Passwordless authentication options for Azure Active Directory Microsoft scenario (very complex, as always).
- Passkeys vs Security Keys FAQ by Yubico, manufacturer of security keys.
- Passkeys.dev Description of passkey support across browsers and operating systems.