Security News
Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages. A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.
"This will simplify sign-ins across devices, websites, and applications no matter the platform - without the need for a single password," Google said.The new Fast IDentity Online sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing into a website or an application.
GitHub has announced that it will require two factor authentication for users who contribute code on its service. "The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog.
Atlassian has published a security advisory warning of a critical vulnerability in its Jira software that could be abused by a remote, unauthenticated attacker to circumvent authentication protections. Tracked as CVE-2022-0540, the flaw is rated 9.9 out of 10 on the CVSS scoring system and resides in Jira's authentication framework, Jira Seraph.
Atlassian has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company's web application security framework.Seraph is used in Jira and Confluence for handling all login and logout requests via a system of pluggable core elements.
Some forms of MFA are stronger than others, and recent events show that these weaker forms aren't much of a hurdle for some hackers to clear. Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
New iShield FIDO2 USB-A / NFC security key protects access to applications and online services. With iShield FIDO2, the industrial storage and security products specialist Swissbit now introduces its first authenticator for the FIDO2 open authentication standard.
Okta is a large company that provides authentication services for companies like FedEx and Moody's to enable access to their networks. Those support engineers have limited access to data.
The Lapsus$ extortion crew has turned its attention to identity platform Okta and published screenshots purportedly showing the group gaining access to the company's internals. Oliver Pinson-Roxburgh, CEO of security outfit Bulletproof, warned: "As the gatekeeper to the networks and data of thousands of organizations, a breach at Okta would have significant consequences."
Microsoft and authentication services provider Okta said they are investigating claims of a potential breach alleged by the LAPSUS$ extortionist gang. The leaked 37GB archive shows that the group may have accessed the repositories related to Microsoft's Bing, Bing Maps, and Cortana, with the images highlighting Okta's Atlassian suite and in-house Slack channels.