Security News

GitHub is now prompting developers and administrators who use the site to secure their accounts with two-factor authentication. The move toward two-factor authentication for all such users officially started on March 13 and will be a requirement by the end of 2023, GitHub said in a recent blog post.

Different 2FA choices, but biometrics and passkeys trump SMS. GitHub is also offering a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. In a move toward closing loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.

Starting March 13, GitHub will gradually introduce the 2FA enrollment requirement to groups of developers and administrators, beginning with smaller groups. In case your account is selected for enrollment, you will receive a notification via email and see a banner on GitHub.com requesting you to enroll in 2FA. You will have a 45-day window to configure 2FA on your account, and before that date, you can continue to use GitHub as usual except for the occasional reminders.

A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.

Twitter has announced that it's limiting the use of SMS-based two-factor authentication to its Blue subscribers. "While historically a popular form of 2FA, unfortunately we have seen phone-number based 2FA be used - and abused - by bad actors," the company said.

Microsoft wants to bulk up the security in Windows Pro editions by ensuring the SMB insecure guest authentication fallbacks are no longer the default setting in the operating system. The move, which is included in the Windows 11 Insider Preview Build 25276 released this month, means that systems with Windows 10 version 1709 or later and Windows Server 2019, SMB2, and SMB3 will no longer allow by default guest account access to a remote server or for those who provide invalid credentials to fall back to the guest account.

With many users and a seemingly robust authentication system, organizations used Twitter as a primary or secondary authentication service. Instead, proactive planning is essential if an organization needs to maintain stability and security with its authentication platforms.

There are a variety of roadblocks associated with moving to passwordless authentication. End users push back when you ask them to abandon the familiar password-based login page, while app owners resist changing them to support passwordless flows.

In this Help Net Security video, Jason Kent, Director at Open Seas, explains why FIDO and passwordless authentication is the future. He dives deep into the technical reasons and explains why physical FIDO authentication is safer than other software/app/SMS solutions.

A critical vulnerability in the Ghost CMS newsletter subscription system could allow external users to create newsletters or modify existing ones so that they contain malicious JavaScript. [...]