Tag Archive for: multifactor

Google Proposes Method for Stopping Multifactor Runaround

/in

Google recognizes that cookie theft poses a significant challenge for users and is actively working on a solution to mitigate it. They propose a mechanism called Device Bound Session Credentials (DBSC), which aims to tie authentication data to a specific device, rendering stolen cookies ineffective.

Cookies remain a common method for websites to store session information locally, enabling users to stay signed in and retain site preferences. However, malicious software can target cookies, extracting them from a user’s device and transmitting them to remote attackers for potential unauthorized access to user data.

Google’s DBSC initiative involves employing cryptographic keys to associate sessions with individual devices. This process involves generating a unique public/private key pair locally on the device, with the private key securely stored by the operating system, possibly leveraging hardware features like Trusted Platform Module (TPM) for enhanced security.

The DBSC API facilitates the association of sessions with the generated public key, allowing periodic refreshment of sessions with cryptographic proof of device binding. This verification occurs separately from regular web traffic and only when the user is actively engaged in the session.

Google emphasizes privacy protection, ensuring that each session is linked to a distinct key and preventing sites from correlating keys across different sessions on the same device. Only the per-session public key is transmitted to the server for proof of key possession.

Initial adoption of DBSC is expected to cover approximately half of desktop users, dependent on hardware capabilities like TPM availability. Google contemplates extending support to software-based keys for broader user coverage and compatibility.

To encourage widespread adoption, Google is collaborating with industry stakeholders, including identity providers and potentially Microsoft for integration into its Edge browser. The project is being developed openly on GitHub with the intention of establishing an open web standard.

DBSC aligns with Google’s strategy of phasing out third-party cookies in Chrome. Early experiments are underway to protect Google Account users in Chrome Beta, with plans to extend the technology to Google Workspace and Google Cloud customers for enhanced account security.

This initiative draws parallels to Intel’s past attempt with Processor Serial Number (PSN) for tracking, which faced backlash and discontinuation due to privacy concerns. However, Google aims to address privacy issues and gain broader industry support for DBSC as a standardized security measure.

 

Outlook for Android, iOS to get own Multi-factor authentication capability this month

/in


Microsoft plans to inject a dedicated multi-factor authentication (MFA) capability into Outlook for Android and iOS, and its general availability is expected to arrive this month.

Microsoft wants to make it easier for its Outlook users to perform MFA. With this, the Redmond company revealed in its latest Microsoft 365 roadmap entry that it will introduce a so-called “Authenticator Lite” in the app. According to the feature description, it will cover work or school accounts being used on Microsoft 365 app, Azure Active Directory, and Outlook.

“Authenticator Lite (in Outlook) is a feature that allows your users to complete multi-factor authentication (MFA) for their work or school account using the Outlook app on their iOS or Android device,” the roadmap entry reads.

Despite this, it is important to note that the company already offers the Microsoft Authenticator that Android and iOS users can use for Outlook, other Microsoft products, and other third-party applications. And while introducing the Authenticator Lite might sound redundant for those who already have the Microsoft Authenticator, this will make Outlook a more comprehensive app armed with its own MFA feature. Additionally, this might be one of the software giant’s initiatives to further boost the security capabilities of Outlook as more authorities put scrutinizing eyes on tech companies.

Last month, it can be recalled that the director of the Cybersecurity and Infrastructure Security Agency, Jen Easterly, called out Microsoft and Twitter due to the low MFA usage rate among their customers. According to Easterly, only one-quarter of Microsoft’s enterprise customers use it. The official, meanwhile, praised Apple for the high usage rate of the security feature due to its decision to make the feature a default.

Microsoft is also determined to promote the use of MFA in its products, starting with Outlook. However, instead of going the same path Apple is taking by making MFA default, it seems the software company wants to achieve this by making the security feature more convenient and accessible to encourage more users to embrace it. Once Authenticator Lite is completely rolled out, we will see how effective this…

Source…

Ways to Implement Multifactor Authentication Without a Mobile Device

/in


Passwords are hard to remember and even harder to change periodically, and it’s increasingly difficult to devise strong credentials. Instead of confronting the challenge, many users rely on weak passwords and reuse them for multiple accounts. This makes it easy for cybercriminals to guess credentials or obtain them via phishing attacks.

Once gathered, credentials can be sold on the dark web. Then, both the original criminal and hordes of other attackers can gain access to personal and work-related systems and data.

Two-factor authentication (2FA) and multifactor authentication (MFA) are accepted ways to make credentials much less vulnerable. 2FA relies on a combination of something you know (e.g., username/password) and something you have (e.g., your mobile phone or computer, a keycard or a USB) or something you are (e.g., a scan of your iris or fingerprint) to ensure that only authorized individuals can access sensitive systems and information.

MFA can involve all three factors. With MFA, even if the username/password combination is stolen, accessing an account is extremely difficult because criminals won’t be able to complete the additional authentication steps.

Click the banner to access customized content when you register as an Insider.

When MFA and Mobile Devices Don’t Mix

Common methods of implementing MFA often rely on the use of mobile devices. When an SMS message, a one-time password or a push notification is sent, it is commonly delivered to a user’s smartphone. That said, there are some risks associated with sending SMS, one-time password or push notifications for MFA. When implemented improperly or as the sole security method, messages could be hacked and codes intercepted. In fact, the U.S. government has recommended that no MFA solution should rely solely on SMS verification tools.

Ensuring Protection Outside of Mobile-Based MFA

To fill these gaps and ensure 100 percent MFA coverage, agencies may consider hardware security keys. The key is typically a physical device, often a USB drive that only grants access to accounts while it is plugged into a computer. It provides a high level of protection against phishing and hacking because no…

Source…