Security News

GitHub rolling out two-factor authentication to millions of users
2023-03-10 01:47

Different 2FA choices, but biometrics and passkeys trump SMS. GitHub is also offering a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. In a move toward closing loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.

GitHub to introduce mandatory 2FA authentication starting March 13
2023-03-09 17:01

Starting March 13, GitHub will gradually introduce the 2FA enrollment requirement to groups of developers and administrators, beginning with smaller groups. In case your account is selected for enrollment, you will receive a notification via email and see a banner on GitHub.com requesting you to enroll in 2FA. You will have a 45-day window to configure 2FA on your account, and before that date, you can continue to use GitHub as usual except for the occasional reminders.

Fooling a Voice Authentication System with an AI-Generated Voice
2023-03-01 12:06

A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.

Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only
2023-02-18 11:10

Twitter has announced that it's limiting the use of SMS-based two-factor authentication to its Blue subscribers. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors," the company said.

Microsoft locks door to default guest authentication in Windows Pro
2023-01-17 17:01

Microsoft wants to bulk up the security in Windows Pro editions by ensuring the SMB insecure guest authentication fallbacks are no longer the default setting in the operating system. The move, which is included in the Windows 11 Insider Preview Build 25276 released this month, means that systems with Windows 10 version 1709 or later and Windows Server 2019, SMB2, and SMB3 will no longer allow by default guest account access to a remote server or for those who provide invalid credentials to fall back to the guest account.

A Secure User Authentication Method – Planning is More Important than Ever
2023-01-16 12:22

With many users and a seemingly robust authentication system, organizations used Twitter as a primary or secondary authentication service. Instead, proactive planning is essential if an organization needs to maintain stability and security with its authentication platforms.

Passkeys, going passwordless, and the future of authentication
2023-01-16 07:22

There are a variety of roadblocks associated with moving to passwordless authentication. End users push back when you ask them to abandon the familiar password-based login page, while app owners resist changing them to support passwordless flows.

Why FIDO and passwordless authentication is the future
2023-01-09 05:00

In this Help Net Security video, Jason Kent, Director at Open Seas, explains why FIDO and passwordless authentication is the future. He dives deep into the technical reasons and explains why physical FIDO authentication is safer than other software/app/SMS solutions.

Ghost CMS vulnerable to critical authentication bypass flaw
2022-12-23 08:12

A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript. [...]

Microsoft's attempts to harden Kerberos authentication broke it on Windows Servers
2022-11-21 23:00

Microsoft is rolling out fixes for problems with the Kerberos network authentication protocol on Windows Server after it was broken by November Patch Tuesday updates. As we reported last week, updates released November 8 or later that were installed on Windows Server with the Domain Controller duties of managing network and identity security requests disrupted Kerberos authentication capabilities, ranging from failures in domain user sign-ins and Group Managed Service Accounts authentication to remote desktop connections not connecting.