Security News
The Python Package Index announced last week that every account that maintains a project on the official third-party software repository will be required to turn on two-factor authentication by the end of the year. "Between now and the end of the year, PyPI will begin gating access to certain site functionality based on 2FA usage," PyPI administrator Donald Stufft said.
The report revealed a significant increase in MFA deployment for customers, which jumped to 57% from 45%. "Not all MFA is equal, and even though businesses know legacy MFA tools are not effective to stay secure, we're seeing they're still using them as primary tools of defense," said Ronnie Manning, CMO, Yubico. "Now more than ever, education around the importance of phishing-resistant MFA is critical to officially move away from legacy MFA tools that are leaving thousands of businesses exposed to cyberattacks around the world," Manning continued.
As user credentials continue to be a top vector for cyberattacks, organizations are under tremendous pressure to rethink the effectiveness of current authentication initiatives, according to SecureAuth. "Although companies are offering more ways to authenticate such as legacy MFA solutions, these technologies are still easily exploitable with 'MFA bombing', 'man-in-the-middle', and other attacks. SecureAuth's State of Authentication Report further validates that it is time for organizations to move beyond legacy forms of MFAs and onto passwordless technologies," Shikiar added.
Not only are there ways around biometric authentication, but not all biometric methods are created equal. For optimal security it would be ideal for biometric systems to require a live biometric to be presented at each access point.
Insecure authentication is a primary cause of cyber breaches, and that cumbersome login methods take an unacceptable toll on employees and business productivity, according to HYPR. Respondents indicate that a passwordless approach would increase productivity, improve user experience, strengthen security and accelerate adoption of multi-factor authentication. Despite these tremendous costs, an astounding 58% of organizations said they kept the same insecure authentication methods after facing a breach.
Firstly, traditional password-based authentication methods are no longer sufficient to protect against increasingly sophisticated cyber threats. In the Owner Scenario, when a user reaches a specific resource or wants to perform a specific action in the protected application, Secfense will prompt the user to re-authenticate with the chosen authentication method.
GitHub is now prompting developers and administrators who use the site to secure their accounts with two-factor authentication. The move toward two-factor authentication for all such users officially started on March 13 and will be a requirement by the end of 2023, GitHub said in a recent blog post.
Different 2FA choices, but biometrics and passkeys trump SMS. GitHub is also offering a preferred 2FA option for account login with a sudo prompt, allowing users to choose between time-based one-time passwords, SMS, security keys or GitHub Mobile. In a move toward closing loopholes to combat threat actors, GitHub expanded its secret scanning program last fall, allowing developers to track any publicly exposed secrets in their public GitHub repository.
Starting March 13, GitHub will gradually introduce the 2FA enrollment requirement to groups of developers and administrators, beginning with smaller groups. In case your account is selected for enrollment, you will receive a notification via email and see a banner on GitHub.com requesting you to enroll in 2FA. You will have a 45-day window to configure 2FA on your account, and before that date, you can continue to use GitHub as usual except for the occasional reminders.
A reporter used an AI synthesis of his own voice to fool the voice authentication system for Lloyd’s Bank.