Security News

Starting March 13, GitHub will gradually introduce the 2FA enrollment requirement to groups of developers and administrators, beginning with smaller groups. In case your account is selected for enrollment, you will receive a notification via email and see a banner on GitHub.com requesting you to enroll in 2FA. You will have a 45-day window to configure 2FA on your account, and before that date, you can continue to use GitHub as usual except for the occasional reminders.

A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.

Twitter has announced that it's limiting the use of SMS-based two-factor authentication to its Blue subscribers. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors," the company said.

Microsoft wants to bulk up the security in Windows Pro editions by ensuring the SMB insecure guest authentication fallbacks are no longer the default setting in the operating system. The move, which is included in the Windows 11 Insider Preview Build 25276 released this month, means that systems with Windows 10 version 1709 or later and Windows Server 2019, SMB2, and SMB3 will no longer allow by default guest account access to a remote server or for those who provide invalid credentials to fall back to the guest account.

With many users and a seemingly robust authentication system, organizations used Twitter as a primary or secondary authentication service. Instead, proactive planning is essential if an organization needs to maintain stability and security with its authentication platforms.

There are a variety of roadblocks associated with moving to passwordless authentication. End users push back when you ask them to abandon the familiar password-based login page, while app owners resist changing them to support passwordless flows.

In this Help Net Security video, Jason Kent, Director at Open Seas, explains why FIDO and passwordless authentication is the future. He dives deep into the technical reasons and explains why physical FIDO authentication is safer than other software/app/SMS solutions.

A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript. [...]

Microsoft is rolling out fixes for problems with the Kerberos network authentication protocol on Windows Server after it was broken by November Patch Tuesday updates. As we reported last week, updates released November 8 or later that were installed on Windows Server with the Domain Controller duties of managing network and identity security requests disrupted Kerberos authentication capabilities, ranging from failures in domain user sign-ins and Group Managed Service Accounts authentication to remote desktop connections not connecting.

Not all users are having problems receiving SMS authentication codes, and those who rely on an authenticator app or physical authentication token to secure their Twitter account may not have reason to test the mechanism. Users have been self-reporting issues on Twitter since the weekend, and WIRED confirmed that on at least some accounts, authentication texts are hours delayed or not coming at all.