Going through Entra ID training modules. It has phone sign-in, windows hello, FIDO2 security key, and certificates as more secure. Can someone explain why that is? 2FA has been the standard for years. I'm aware sms can be compromised, is this now the case for authenticator apps as a whole as well? What makes the above listed different? submitted by /u/PaulTheMerc [link] [comments]
Hey there - I'm a consultant working outside of cyber. Im wondering what the best cyber solution is for little ol me? Should I go the consumer route with Norton Deluxe or is it worth going for something liek Crowdstrike Falcon? I'd like an all in one if at all possible. Im using a password manager and 2FA etc. but I work across clients and platforms. Im on everything, teams, outlook, google etc. I just want some peace of mind im not going to be an entry point for a client. Yes, some of them...
It's Cybersecurity Month and I'm curious what's actually working for people. Since joining a cybersecurity company as a dev, I pay a lot more attention to basics like password hygiene, using 2FA everywhere I can, and double-checking links before clicking anything. Our team's big on building anti-phishing tools and automating security checks, which has definitely made me rethink my own habits : ). What little things or routines have made the most difference in your approach, either personally or...
be me. logging into a web app with sms 2fa. i fumble the first sms code and login throws an error, offers restart of process. sent back to initial login screen and re-enter user name and password, and receive fresh SMS with code. here's the rub: the new code is the same as the first one. despite that a pre-seeded code can persist for X amount of seconds when using an Authenticator app, the re-use of the code in this context seems unusual. I'm off to think more about it and chatgpt it, but...
submitted by /u/rkhunter_ [link] [comments]
GitHub is introducing a set of defenses against supply-chain attacks on the platform that led to multiple large-scale incidents recently.
GitHub on Monday announced that it will be changing its authentication and publishing options "in the near future" in response to a recent wave of supply chain attacks targeting the npm ecosystem, including the Shai-Hulud attack. This includes steps to address threats posed by token abuse and self-replicating malware by allowing local publishing with required two-factor authentication (2FA),
We've all seen how traditional passwords and even basic 2FA can be bypassed by phishing, SIM swapping, or credential theft. That's where Adaptive MFA comes in. Instead of treating every login the same, it evaluates context things like device, location, time, and user behavior before deciding if extra verification is needed. Why it matters: • Stops suspicious logins without frustrating every user • Makes phishing and stolen passwords far less effective • Helps meet compliance and insurance...
At least they had 2FA right?? right??????
Cyber attackers constantly refine their evasion methods. That's what makes threats, including phishing, increasingly hard to detect and investigate. Kits like Tycoon 2FA regularly evolve with new tricks added to their arsenal. They slip past defenses and compromise companies, demonstrating great adaptivity in modern cyber threats. Let's review three key evasion techniques of Tycoon 2FA
Threat actors are abusing HTTP client tools like Axios in conjunction with Microsoft's Direct Send feature to form a "highly efficient attack pipeline" in recent phishing campaigns, according to new findings from ReliaQuest. "Axios user agent activity surged 241% from June to August 2025, dwarfing the 85% growth of all other flagged user agents combined," the cybersecurity company said in a
Multiple npm packages have been compromised as part of a software supply chain attack after a maintainer's account was compromised in a phishing attack. The attack targeted Josh Junon (aka Qix), who received an email message that mimicked npm ("support@npmjs[.]help"), urging them to update their update their two-factor authentication (2FA) credentials before September 10, 2025, by clicking on
submitted by /u/NISMO1968 [link] [comments]
Woke up in a cold sweat. Dreamed I tried to check my email. First, the password. Not my password. The password requirements. Minimum 12 characters. Maximum 128. Must contain uppercase, lowercase, number, symbol. But not THAT symbol. Or that one. No spaces. No quotes. No backslashes. Can't be similar to previous 47 passwords. Finally get a password. Site rejects it. "Too similar to a commonly used password." It's 32 random characters from /dev/urandom. How is that common? Get past that. Now 2FA....
So a few days ago, I got notifications that someone was trying to get into my Facebook, so I changed the password. Luckily I had 2FA on (I have it on everything I know of). Then, a day later, someone tried to get into my instagram (same failure). Adobe and Amazon both said about data breaches, and that I should change my passwords. I did virus checks on all my devices, and I use a VPN. Then, this morning, Google contact me and say there's been a data breach, and I should change my passwords on...
Popular password manager plugins for web browsers have been found susceptible to clickjacking security vulnerabilities that could be exploited to steal account credentials, two-factor authentication (2FA) codes, and credit card details under certain conditions. The technique has been dubbed Document Object Model (DOM)-based extension clickjacking by independent security researcher Marek Tóth,
Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details. Threat actors could exploit the security issues when victims visit a malicious page or websites vulnerable to cross-site scripting (XSS) or cache poisoning, where attackers overlay invisible HTML elements over the password manager interface. While users believe they are interacting with...
Six major password managers with tens of millions of users are currently vulnerable to unpatched clickjacking flaws that could allow attackers to steal account credentials, 2FA codes, and credit card details.
A sophisticated new Phishing-as-a-Service (PhaaS) framework dubbed "Salty 2FA" has emerged as a significant threat to Microsoft 365 users across US and European industries. This previously undocumented platform employs advanced obfuscation techniques and multi-stage execution chains specifically designed to bypass two-factor authentication mechanisms while stealing corporate credentials. The framework targets organizations spanning finance, telecommunications, energy,
I'm thing about moving our remote access from RADIUS app-based 2FA to SAML Single Sign-On (SSO) on our firewall VPN. All users sign into Microsoft Entra ID - joined laptops with Windows Hello for Business (WHfB) (PIN, fingerprint, or facial recognition). Since WHfB uses a TPM-bound key on the device (something you have) plus PIN/biometric (something you know/are), Microsoft recognizes it as MFA. When the VPN connection is made via SAML SSO, Entra ID passes the MFA claim into the VPN session....