Google leaking 2FA secrets – researchers advise against new “account sync” feature for now
You waited 13 years for this feature in Google Authenticator. Now researchers are advising you to wait a while longer, just in case...
MFA reduces account takeover by requiring another proof of identity, limiting damage from stolen passwords; protect fallback and recovery paths too.
Search across headline titles and summaries.
Background for this topic.
MFA requires a user to prove identity with at least two different factor types: something they know, have, or are. It limits account takeover when a password is exposed, but protection depends on the factors and their implementation; two passwords are not independent factors, and a one-time code delivered by SMS is generally weaker than a phishing-resistant credential.
Attackers may steal or relay one-time codes through phishing, trigger repeated push prompts to induce approval, exploit weak enrollment or account-recovery processes, or hijack an authenticated session after MFA succeeds. Prefer phishing-resistant methods such as FIDO2/WebAuthn security keys or platform credentials for sensitive access, protect enrollment and recovery as strongly as login, restrict weaker fallbacks, and monitor unusual authentication activity. MFA reduces risk but does not replace endpoint, session, or privileged-access controls.
Weekly headline count for the current query.
You waited 13 years for this feature in Google Authenticator. Now researchers are advising you to wait a while longer, just in case...
Even in Apple's and Google's "walled gardens", there are plenty of 2FA apps that are either dangerously incompetent, or unrepentantly malicious. (Or perhaps both.)
Ironically, Twitter Blue users will be allowed to keep using the very 2FA process that's not considered secure enough for everyone else.
Guilty party got 18 months, also has to pay back $20m he probably hasn't got, which could land him in more hot water.
The warning is hosted on a real Facebook page; the phishing uses HTTPS via a real Google server... but the content is all fake
Latest episode - listen now! Learn why adopting 2FA isn't a reason to relax your other security precautions...
Last time they arrived 28 minutes after lighting up their fake domain... this time it was just 21 minutes
Listen now! Or read if you prefer...
The crooks hit us up with this phishing email less than half an hour after they activated their new scam domain.
The US Cybersecurity and Infrastructure Security Agency (CISA) has just put out a bulletin numbered AA22-074A, with the dramatic title Russian State-Sponsored Cyber Actors Gain Network Access by Exploiting Default Multifactor Authentication Protocols and “PrintNightmare” Vulnerability. To sidestep rumours based on the title alone (which some readers might interpret as an attack that is going […]
Instagram scams don't seem to be dying out - we're seeing more variety and trickiness than ever...