Articles about 2fa

Google Prompt

Google slides text message 2FA a little closer to the door

Text messages aren't a great way to implement two-factor authentication, but it's a technique that's stubbornly persistent. Now Google has decided to push things along by pushing its alternative into production. The Chocolate Factory's alternative is called "Google Prompt". Instead of sending users a one-time code in a text …

Brit intel fingers Iran for brute-force attacks on UK.gov email accounts

Iran has been blamed for the brute-force attack on UK Parliament earlier this year. An unpublished assessment by British intelligence obtained by The Times fingers Iran for the high-profile hack. The revelation comes as the US president has refused to continue signing off the 2015 Iran nuclear deal, to which the UK is a party …
John Leyden, 16 Oct 2017

Sensitive client emails, usernames, passwords exposed in Deloitte hack

Deloitte, one of the world's "big four" accountancy firms, has fallen victim to a cyberattack that exposed sensitive emails to hackers. The IT security breach dates back to November 2016 but was only discovered in March this year, according to The Guardian, which broke the news in an exclusive on Monday. Deloitte has …
John Leyden, 25 Sep 2017

Facebook users pwnd by phone with account recovery vulnerability

Facebook account recovery using pre-registered mobile numbers is poorly implemented and open to abuse, according to critic James Martindale. Martindale wrote an article on Medium, titled I kinda hacked a few Facebook accounts using a vulnerability they won't fix, highlighting his concerns in a bid to push the social network …
John Leyden, 17 Jul 2017
Facepalm from Shutterstock

Two-factor FAIL: Chap gets pwned after 'AT&T falls for hacker tricks'

A software developer says a thief siphoned cash from his PayPal account – after a dumbass AT&T rep handed control of his cellphone account to a hacker, thus defeating his two-factor authentication. Justin Williams, an iOS code jockey based in Denver, Colorado, said someone was able to dupe an AT&T support tech into assigning …
Shaun Nichols, 10 Jul 2017

LastPass now supports 2FA auth, completely undermines 2FA auth

Password manager LastPass has added a new feature to its software: the ability to store two-factor authentication codes. This is great news. For hackers. Increasingly, people with sense use two-factor auth as a way of ensuring that it is much harder for miscreants to break into their accounts, and to detect if anyone is anyone …
Kieren McCarthy, 19 May 2017

eBay dumps users into insecure authentication mechanism

Web tat bazaar eBay appears to be suggesting its readers adopt known-to-be-insecure practices when logging on to the service. eBay has long offered customers the chance to get their hands on a hard token that generates one-time-passwords. But Krebs on Security reports that a reader received an email from eBay telling customers …
Simon Sharwood, 23 Mar 2017
Two eggs hugging couple arranged in carton

Aah, all is well in the world. So peaceful, so– wait, where's the 2FA on IoT apps? Oh my gawd

Smart home poster child Nest has stolen a march on the rest of the smart-home industry by adding two-factor authentication to its systems. From Tuesday, owners of Nest products can tie a mobile phone to their account and so require that anyone trying to access their data has to enter a six-digital code sent by text to that …

Netflix US Twitter account hacked

Netflix's US Twitter account was briefly hijacked on Wednesday. The feed was taken over by a hacking group, OurMine, who used the hijack to promote its website and invite Netflix to get in touch. The social media team running the Netflix US Twitter account, which has 2.5 million followers, got off easily. Previous account …
John Leyden, 21 Dec 2016

Standards body warned SMS 2FA is insecure and nobody listened

The US National Institute of Standards and Technology's (NIST) advice that SMS is a poor way to deliver two factor authentication is having little impact, according to Duo Security. Last July NIST declared that sending one-time passwords to mobile phones was insecure. The organisation wrote in its advisory that the likelihood …
Darren Pauli, 6 Dec 2016

PayPal patches bone-headed two factor authentication bypass

Update Paypal has patched a boneheaded two factor authentication breach that allowed attackers to switch off the critical account control in minutes by changing a zero to a one. British MWR InfoSecurity consultant Henry Hoggart (@_mobisek) discovered and quietly reported the flaw to the payment giant. Attackers with username and …
Darren Pauli, 27 Oct 2016

Hacking mobile login tokens tricky but doable, says reverse-engineer

Mobile apps that generate on-screen tokens for two-factor authentication can be examined and cloned by malware, a security researcher warns. Fraudsters and crooks can take these clones and generate the codes necessary to login into bank accounts and other online services as their victims. Banks are increasingly relying on …
John Leyden, 2 Sep 2016
Password

US standards lab says SMS is no good for authentication

America's National Institute for Standards and Technology has advised abandonment of SMS-based two-factor authentication. That's the gist of the latest draft of its Digital Authentication Guideline, here. Down in section 5.1.3.2, the document says out-of-band verification using SMS is deprecated and won't appear in future …
Android figurine (silver) hangs off building at Mountain View HQ. Photo by Nick Fox, Shutterstock.com</a>

Academics claim Google Android two-factor authentication is breakable

Computer security researchers warn security shortcomings in Android/Playstore undermine the security offered by all SMS-based two-factor authentication (2FA). The issue - first reported to Google more than a year ago - revolves around an alleged security weakness rather than a straightforward software vulnerability. The …
John Leyden, 8 Apr 2016

Instagram rolls out two factor authentication

Hipsters and selfie-lovers will enjoy extra security after Instagram added two-factor authentication to its service. The security measure is becoming a de facto standard for protecting user accounts by requiring a code generated on a second device to be entered alongside passwords. Instragram will send a code to user's mobile …
Team Register, 18 Feb 2016

Got a time machine? Good, you can brute-force 2FA

Time-based two-factor authentication tokens, and plug-ins that use them, are only as good as your time signal, and in the right (wrong) circumstances, they can be brute-forced. Security researcher Gabor Szathmari says the problem is that if your 2FA tokens depend on the network time protocol (NTP), it's too easy for a sysadmin …

Boffins nail 2FA with 'ambient sound' login for the lazy

Internet users who think two taps on a smartphone is two taps too much may soon be able to use seamless second factor authentication that verifies a person is in possession of their phone by matching ambient noise sound prints. Researchers Nikolaos Karapanos, Claudio Marforio, Claudio Soriente, and Srdjan Capkun of the …
Darren Pauli, 17 Aug 2015

Snapchat slings SMS two-factor authentication

Snapchat has deployed two factor authentication as part of its push to increase security across the popular selfie slinging app. The sexting swap shop allows users to set up SMS log-in verification that makes en-masse account hijacking more difficult, and better protects Snapchat's Snapcash money transfer system. The …
Darren Pauli, 15 Jun 2015

Create a news alert about 2fa, or find more stories about 2fa.

Biting the hand that feeds IT © 1998–2017