Articles about authentication


Register-Orbi-damned: Netgear account order irks infosec bods

Netgear has irked some security pros by demanding people register accounts before they can use a mobile app to control their Orbi mesh routers. Thus, you'll need a Netgear customer account to manage your network infrastructure, thereby "advertising to hackers everywhere that there’s a nice little honeypot on their servers, …
John Leyden, 10 Sep 2018

SuperProf gets schooled after assigning weak passwords to tutors

Updated Private tutor networking website SuperProf has irritated teacher clients of a firm it recently acquired – by handing out hopelessly insecure passwords. SuperProf, headquartered in Paris, recently bought UK-based Tutor Pages. Tutor Pages teachers have been migrated to the SuperProf platform but details of their fees, subjects, …
John Leyden, 20 Aug 2018

Cisco drops a cool $2.3 billion on SaaSy outfit Duo Security

Cisco has announced plans to buy privately held authentication firm Duo Security for $2.35bn (£1.80bn). David Cameron How much do you think Cisco's paying erstwhile Brit PM David Cameron? READ MORE The Michigan firm markets unified access security and multi-factor authentication delivered through the cloud. The technology is …
John Leyden, 2 Aug 2018
Bounty chocolate - Shuterstock

Microsoft to pay new bounties for identity services holes

Microsoft’s launched a new bug bounty program, this time for identity services. “Microsoft has invested heavily in the security and privacy of both our consumer (Microsoft Account) and enterprise (Azure Active Directory) identity solutions,” wrote principal security group manager Phillip Misner. But Redmond’s not just paying …
Simon Sharwood, 18 Jul 2018

Password re-use is dangerous, right? So what about stopping it with password-sharing?

Two comp-sci boffins have proposed that websites cooperate to block password re-use, even though they predict the idea will generate "contempt” among many end users, . Their expectation is founded on experience: Troy Hunt's HaveIBeenPwned is useful because so many people reuse passwords, and it currently claims to record more …
Man peeks into box

Time to ditch the Facebook login: If customers' data should be protected, why hand it over to Zuckerberg?

Comment Mark Zuckerberg recently endured a grilling from the US Congress over Facebook's inability to stop bleeding user data. A week later, investors rewarded his company with a $50bn increase in its market capitalisation on news that – surprise! – a massive userbase pays big dividends. But it's worse than 87 million users' data that …
Matt Asay, 4 May 2018
Angry man on laptop. Illustration via Shutterstock

Single single-sign-on SNAFU threatens three Cisco products

Cisco has announced a suite of patches against a bug in its Security Assertion Markup Language (SAML) implementation. As is so often the case with a language slip, the bug is inherited by multiple products. In the case of CVE-2018-0229, the affected systems are: Single sign-on authentication for the AnyConnect desktop …

No password? No worries! Two new standards aim to make logins an API experience

A pair of authentication standards published this week have received endorsement from Mozilla, Microsoft and Google: the WebAuthn API, and the FIDO Alliance's Client-to-Authenticator Protocol. The aim of WebAuthn and CTAP is to offer an authentication primitive that doesn't rely on server-stored passwords, since a user's …
I think I'm a clone now

XM-Hell strikes single-sign-on systems: Bugs allow miscreants to masquerade as others

Various single-sign-on systems can be hoodwinked to allow miscreants to log in as strangers without their password, all thanks to bungled programming. Specifically, the vulnerable authentication suites mishandle information submitted in the XML-like Security Assertion Markup Language (SAML). These weaknesses can be potentially …
John Leyden, 28 Feb 2018

RSA coughs to critical-rated bug in its authentication SDK

RSA developers and admins have been given two critical-level authentication bugs to patch. For the sysadmin, the issue struck RSA's software providing Web-based authentication for Apache. CVE-2017-14377 is an authentication bypass that existed because of an “input validation flaw in RSA Authentication Agent for Web for Apache …
Business man dressed as a clown

Don't shame idiots about their idiotically weak passwords

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else. By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker. Security …
John Leyden, 27 Nov 2017
Container ship docked at port with crystal blue waters.

Container ship loading plans are 'easily hackable'

Security researchers have warned that it might be possible to destabilise a container ship by manipulating the vessel stowage plan or "Bay Plan". The issue stems from the absence of security in BAPLIE EDIFACT, a messaging system used to create ship loading and container stowage plans – for example which locations are occupied …
John Leyden, 20 Nov 2017
Image by beccarra

Privacy Pass protocol promises private perusing

Boffins have harnessed privacy-preserving crypto to create a browser extension that allows users to authenticate to services without being tracked. The extension, Privacy Pass, offers people another way to authenticate themselves without having to repeatedly solve internet challenge-response tests like CAPTCHAs. Alex Davidson …
Rebecca Hill, 14 Nov 2017

How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

Google has teamed up with computer scientists at the University of California, Berkeley, to find out how exactly hijackers take over its users' accounts. The eggheads peered into online black markets where people's login details are bought and sold to get an idea of the root cause of these account takeovers and the subsequent …
John Leyden, 10 Nov 2017

Sensitive client emails, usernames, passwords exposed in Deloitte hack

Deloitte, one of the world's "big four" accountancy firms, has fallen victim to a cyberattack that exposed sensitive emails to hackers. The IT security breach dates back to November 2016 but was only discovered in March this year, according to The Guardian, which broke the news in an exclusive on Monday. Deloitte has …
John Leyden, 25 Sep 2017
SmartThings hub and devices

Insteon and Wink home hubs appear to have a problem with encryption

Security researchers have discovered that two popular home automation systems are vulnerable to attacks. The Insteon Hub and Wink Hub 2 are designed to connect various home products and manage automation, and the flaws represent another entry in the growing catalogue of IoT security shortcomings. Rapid7 discovered two …
John Leyden, 25 Sep 2017

.UK domains left at risk of theft in Enom blunder

Updated Thousands of UK companies were at risk of having their .uk domain names stolen for more than four months by a critical security failure at domain registrar Enom. The security lapse allowed .uk domains to be transferred between Enom accounts with no verification, authorisation or logs. Any domains hijacked would have been “ …
John Leyden, 7 Sep 2017
Human iris. Photo by SHutterstock

The eyes have IT: TSB to roll out iris-scanning tech for mobile banking

TSB has announced plans to roll out iris-scanning technology for its mobile banking app from September. The move will make the UK high street bank the first in Europe to debut iris-scanning tech. TSB's iris recognition tech [source: TSB] Biometric authentication for banking, in general, has become commonplace over recent …
John Leyden, 20 Jul 2017

Create a news alert about authentication, or find more stories about authentication.

Biting the hand that feeds IT © 1998–2018