Security News

Well-designed MFA methods continue to have a place in an organization's security ecosystem, and MFA is required to comply with many global regulations such as HIPPA, Payment Card Industry Data Security Standards, the Cybersecurity and Infrastructure Security Agency, GDPR, and the EU's Payment Services Directive 2. Organizations need protections that go beyond MFA. But MFA controls also generate considerable friction, causing customer frustration and negatively impacting business revenue.

Google says it has fixed a flaw that allowed a scammer to impersonate delivery service UPS on Gmail, after the data-hoarding web behemoth labeled the phony email as authentic. The problem stemmed from an issue in an email authentication program called Brand Indicators for Message Identification that aims to protect email users from brand spoofing and phishing attacks claiming to be from a trusted org.

The Python Package Index announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication by the end of the year. "Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said.

The report revealed a significant increase in MFA deployment for customers, which jumped to 57% from 45%. "Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we're seeing they're still using them as primary tools of defense," said Ronnie Manning, CMO, Yubico. "Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world," Manning continued.

As user credentials continue to be a top vector for cyberattacks, organizations are under tremendous pressure to rethink the effectiveness of current authentication initiatives, according to SecureAuth. "Although companies are offering more ways to authenticate such as legacy MFA solutions, these technologies are still easily exploitable with 'MFA bombing', 'man-in-the-middle', and other attacks. SecureAuth's State of Authentication Report further validates that it is time for organizations to move beyond legacy forms of MFAs and onto passwordless technologies," Shikiar added.

Not only are there ways around biometric authentication, but not all biometric methods are created equal. For optimal security it would be ideal for biometric systems to require a live biometric to be presented at each access point.

Insecure authentication is a primary cause of cyber breaches, and that cumbersome login methods take an unacceptable toll on employees and business productivity, according to HYPR. Respondents indicate that a passwordless approach would increase productivity, improve user experience, strengthen security and accelerate adoption of multi-factor authentication. Despite these tremendous costs, an astounding 58% of organizations said they kept the same insecure authentication methods after facing a breach.

Firstly, traditional password-based authentication methods are no longer sufficient to protect against increasingly sophisticated cyber threats. In the Owner Scenario, when a user reaches a specific resource or wants to perform a specific action in the protected application, Secfense will prompt the user to re-authenticate with the chosen authentication method.

GitHub is now prompting developers and administrators who use the site to secure their accounts with two-factor authentication. The move toward two-factor authentication for all such users officially started on March 13 and will be a requirement by the end of 2023, GitHub said in a recent blog post.

Different 2FA choices, but biometrics and passkeys trump SMS. GitHub is also offering a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. In a move toward closing loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.