(no title)
antithesis-nl | 1 year ago
Disabling device authentication (which is rarely needed anyway) and forcing Microsoft Authenticator (with the yes-this-is-really-me number entry thing) or something like a Yubikey should make your org like 99% less vulnerable. If you're not on a Microsoft-or-similar platform (good for you!), one word of advice: passkeys.
As for the inevitable "who would fall for this" question: prior to 2017, when Google instituted a strict 2FA policy, even members of their elite security team were successfully phished. After that, not so much: https://krebsonsecurity.com/2018/07/google-security-keys-neu...
semi-extrinsic|1 year ago
Currently it's very easy to make a fake MS login prompt, even to customize it with your company name and logo. If you fall for that, they have your PW, which probably at least works without 2FA on some random corpo websites like your time tracking or travel expenses or whatnot.
ivewonyoung|1 year ago
How? First off if it's a TOTP without a notification the fake website can just ignore the TOTP input and always say it's correct and move to collecting your password. If it's a notification type 2FA, when you go to the fake site it can request a login with your username in the background which will send you a notification, you will enter the 2FA code and then password which the attacker will login with.
bayindirh|1 year ago
1. You shouldn't be reusing your password anywhere else anyway.
2. Microsoft corporate 2FA doesn't give you three choices, but wants you to enter the number from your keypad, unlike consumer 2FA, preventing flooding attacks and trusting that you'll tap the right one accidentally.