Security News

Microsoft sets multi-factor authentication as default for all Azure AD customers. In a new blog post, the company revealed that it's adding multi-factor authentication as the default security setting for existing Azure customers who haven't changed that setting on their own.

A new possession-factor API now aims to do precisely that, replacing knowledge-based credentials, by using the SIM card for possession factor device binding and user authentication, thus reducing the possibility of phishing. It's inside everyone's mobile phone, and is built on cryptographic security when connecting to mobile network authentication.

Two of the big-news vulnerabilities in this month's Patch Tuesday updates from Microsoft were CVE-2022-26923 and CVE-2022-26931, which affected the safety of authentication in Windows. Ironically, the CVE-2022-26923 and CVE-2022-26931 bugs only seem to apply if you're using digital certificates for added authentication security.

Microsoft has released an out-of-band patch to deal with an authentication issue that was introduced in the May 10 Windows update. Multiple administrators complained last week that after installing the May 10 patch, they experienced authentication failures across several systems.

Microsoft has released emergency out-of-band updates to address Active Directory authentication issues after installing Windows Updates issued during the May 2022 Patch Tuesday on domain controllers. "After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol," Microsoft explained.

Microsoft is alerting customers that its May Patch Tuesday update is causing authentications errors and failures tied to Windows Active Directory Domain Services. "After installing updates released May 10, 2022 on your domain controllers, you might see authentication failures on the server or client for services such as Network Policy Server, Routing and Remote access Service, Radius, Extensible Authentication Protocol, and Protected Extensible Authentication Protocol," Microsoft reported.

Microsoft is investigating a known issue causing authentication failures for some Windows services after installing updates released during the May 2022 Patch Tuesday. Microsoft says the known issue is only triggered after installing the updates on servers used as domain controllers.

Yahoo Japan has revealed that it plans to go passwordless, and that 30 million of its 50 million monthly active users have already stopped using passwords in favor of a combination of FIDO and TXT messages. A case study penned by staff from Yahoo Japan and Google's developer team, explains that the company started work on passwordless initiatives in 2015 but now plans to go all-in because half of its users employ the same password on six or more sites.

"This will simplify sign-ins across devices, websites, and applications no matter the platform - without the need for a single password," Google said.The new Fast IDentity Online sign-in system does away with passwords entirely in favor of displaying a prompt asking a user to unlock the phone when signing into a website or an application.

GitHub has announced that it will require two factor authentication for users who contribute code on its service. "The software supply chain starts with the developer," wrote GitHub chief security officer Mike Hanley on the company blog.