Category: authentication

This isn’t new, but it’s increasingly popular:

The technique is known as device code phishing. It exploits “device code flow,” a form of authentication formalized in the industry-wide OAuth standard. Authentication through device code flow is designed for logging printers, smart TVs, and similar devices into accounts. These devices typically don’t support browsers, making it difficult to sign in using more standard forms of authentication, such as entering user names, passwords, and two-factor mechanisms.

Rather than authenticating the user directly, the input-constrained device displays an alphabetic or alphanumeric device code along with a link associated with the user account. The user opens the link on a computer or other device that’s easier to sign in with and enters the code. The remote server then sends a token to the input-constrained device that logs it into the account.

Device authorization relies on two paths: one from an app or code running on the input-constrained device seeking permission to log in and the other from the browser of the device the user normally uses for signing in.

Here’s an easy system for two humans to remotely authenticate to each other, so they can be sure that neither are digital impersonations.

To mitigate that risk, I have developed this simple solution where you can setup a unique time-based one-time passcode (TOTP) between any pair of persons.

This is how it works:

  1. Two people, Person A and Person B, sit in front of the same computer and open this page;
  2. They input their respective names (e.g. Alice and Bob) onto the same page, and click “Generate”;
  3. The page will generate two TOTP QR codes, one for Alice and one for Bob;
  4. Alice and Bob scan the respective QR code into a TOTP mobile app (such as Authy or Google Authenticator) on their respective mobile phones;
  5. In the future, when Alice speaks with Bob over the phone or over video call, and wants to verify the identity of Bob, Alice asks Bob to provide the 6-digit TOTP code from the mobile app. If the code matches what Alice has on her own phone, then Alice has more confidence that she is speaking with the real Bob.

Simple, and clever.

As Microsoft approaches the final year of security support for Windows 10, the tech giant has made a noteworthy announcement that raises concerns regarding account security. In a significant shift, Microsoft will soon mandate the use of passkeys, signaling a potential farewell to traditional passwords for good.

This decision aligns with a broader industry trend, as major technology companies, including Apple, Google, Facebook, and X (formerly Twitter), have already indicated their intent to move away from password-based security systems. The year 2023 has seen these tech leaders embrace passkeys as a more secure and user-friendly alternative for account protection.

In a bid to keep pace with these advancements, Microsoft is implementing mandatory passkey usage for all Windows 11 users in the coming months. This initiative aims to acclimate users to this emerging security feature, which is anticipated to play a pivotal role in the future of online authentication.

Under the leadership of CEO Satya Nadella, Microsoft is not only promoting its own passkey solutions but is also open to passkeys generated by third-party applications such as 1Password. Additionally, users can link their passkeys to their mobile devices or utilize the Microsoft Authenticator app, which the company introduced several years ago. This flexibility enhances user convenience while maintaining a high level of security.

For individuals wishing to access their online accounts, the transition to passkeys will be necessary, regardless of whether these keys are generated through physical devices, hardware plugins, or software solutions. This move reflects a broader industry commitment to phasing out the traditional password model, with Google having already made significant strides in this direction. The tech giant has encouraged its users to adopt passkeys or biometric authentication methods as the primary means of securing their accounts.

Understanding the technology behind passkeys is crucial for those who may harbor doubts about their authenticity and reliability. Passkeys utilize advanced cryptographic techniques to provide a more secure form of authentication, reducing the risks associated with password reuse and phishing attacks.

Looking ahead, there’s also exciting news for Windows users. By the end of next year, Microsoft plans to unveil a beta version of Windows 12, tentatively scheduled for release in October 2025, contingent upon the success of ongoing research and development efforts. This future update promises to further enhance the user experience and security features of the Windows operating system.

As the landscape of digital security continues to evolve, the shift towards passkeys marks a significant step in making online interactions safer and more efficient.

The post Windows 11 passkey transformation will say goodbye to Passwords appeared first on Cybersecurity Insiders.

New attack against the RADIUS authentication protocol:

The Blast-RADIUS attack allows a man-in-the-middle attacker between the RADIUS client and server to forge a valid protocol accept message in response to a failed authentication request. This forgery could give the attacker access to network devices and services without the attacker guessing or brute forcing passwords or shared secrets. The attacker does not learn user credentials.

This is one of those vulnerabilities that comes with a cool name, its own website, and a logo.

News article. Research paper.

[By Gal Helemski, co-founder and CTO at PlainID]

There has been a substantial trend toward improvement of authorization capabilities and controls. Policy Based Access Control (PBAC) provided by advanced authorization and access control system is progressively displacing more basic and traditional procedures like Access Control List (ALC) and Role-Based Access Control (RBAC).

PBAC provides a substantial advancement in authorization control approaches. It expands on the frameworks established by its predecessors, by providing flexibility, taking a more holistic approach, incorporating the strengths of each model while concurrently addressing their limitations.

The Evolution of PBAC

Even though it has been on the market for over 30 years, the existing RBAC management solution is complex and inflexible. Because of the intricacies of these solutions, significant amount of IT resources are invested in setting access controls and permissions right.
Role-based Access control is a coarse-grained technique in which access is static and granted simply based grouping of permissions. As the organization grows, keeping track of the increasing number of changing user roles, and the combination that need to be supported, becomes practically impossible, resulting in the known a “role explosion” problem.

Attribute-based Access Control (ABAC) is a finer-grained technique that provides access controls based on combinations of attributes. However, it is considered a localized and highly technical solution, still resulting in significant investment.

As both approaches are still utilized, Policy-Based Access Control takes the best of both techniques but makes it accessible and visible. PBAC can support both roles and attributes, of the user, the asset and the environment, providing more restricted access control and management capabilities. PBAC approaches often allow policies to be coded in plain language, bridging the gap between the app owners and dev

These capabilities have become increasingly important as organizations require more flexible access controls to the company resources, to support their growing business objectives.

Top Reasons to Consider PBAC

  • Authorization Control Efficiency: PBAC provides the most efficient method of managing authorization controls. Organizations can design and enforce access restrictions centrally by leveraging policy-based procedures, reducing complexity, and maintaining consistency across systems.
  • Simplified Development Lifecycle: The development cycle is simplified by PBAC’s policy-as-code methodology. This means that the policy can be developed and controlled as code, making version control, testing, and deployment of authorization rules easier. This streamlined procedure improves agility and minimizes application time to market.
  • Real-Time Authorization Decisions: PBAC allows for dynamic and real-time authorization decisions based on contextual information. PBAC ensures that access is provided or refused at a highly granular level by considering elements such as qualities, resource features, and environmental variables.
  • Enhanced Visibility: PBAC improves visibility by providing insight into the reasons behind access decisions. Organizations can learn why a specific access request was authorized or rejected, which can help with auditing, compliance, and governance activities. Transparency improves accountability and allows for improved decision-making.

PBAC is an essential milestone in authorization controls as it provides several benefits to enterprises. Its capacity to provide access restrictions and a more streamlined lifecycle and decision-making process, makes it a significant tool in today’s cybersecurity landscape. Remember that without policies, all access is an exception; thus, having well-defined and implemented regulations to manage access is critical. Organizations may strengthen security posture and ensure seamless access management by embracing PBAC. In an ever-changing landscape, PBAC is a testament to the continual innovation required to combat future threats to your organization.

The post The Evolution of Authorization Controls: Exploring PBAC and Its Benefits appeared first on Cybersecurity Insiders.

New attack breaks forward secrecy in Bluetooth.

Three news articles:

BLUFFS is a series of exploits targeting Bluetooth, aiming to break Bluetooth sessions’ forward and future secrecy, compromising the confidentiality of past and future communications between devices.

This is achieved by exploiting four flaws in the session key derivation process, two of which are new, to force the derivation of a short, thus weak and predictable session key (SKC).

Next, the attacker brute-forces the key, enabling them to decrypt past communication and decrypt or manipulate future communications.

The vulnerability has been around for at least a decade.

Alex Laurie, SVP Global Sales Engineering at Ping Identity

Passwords have been with us for decades. The problem is that people have far too many to remember – does this one have a capital letter, a number or a special character? Often, we don’t know. So, we delegate responsibility to a password manager and then get frustrated again when forms don’t auto-fill.

While frustrating, passwords are also the gateway to billions of dollars of fraud each year. We can’t continue on this path where demanding ever more complex passwords people can’t remember becomes the only way to access services.

Google estimated in 2019 that multi-factored authentication (MFA) on-device prompts prevent 100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks by hackers trying to login as you. It has been a great success. But criminals adapted, and we are currently seeing breaches which prove, once again, that we’re falling behind the bad guys in the quest for security. And, while MFA works, a user receiving hundreds of authentication prompts during an attack only needs to click the wrong button once for an attacker to gain access.

It’s time these issues were removed with a passwordless approach. This entails a user setting up their account once, and then using a range of methods such as push notifications, one-time passwords and biometrics to gauge whether a login attempt is genuine. Thanks to AI innovations, this is a very real, and accurate, possibility for organisations.

So how does passwordless authentication work in practice? Instead of relying on something you know, like a password which is the name of your first pet, the system works on something you are (e.g., your face or fingerprint) or something you have (e.g., a smartphone to receive a prompt).

More advanced passwordless authenticators use signals and behavioural insights to analyse the likelihood of an authentic login and send the right type of prompt to the user. These signals could be your location, IP address or approved device MAC address. And behaviours would include user preferences and choices. For instance, are you logging in at the time you usually do on a browser you always use? How are they typing or using the mouse (this signal easily filters-out bots)? Are they trying to access company resources they haven’t before?

By combining and analysing these readings, the passwordless system gives each user/login attempt a risk score. If a threshold is breached, either a prompt is sent to check it’s a genuine login attempt, or the session can be closed completely, and the user kicked out.

The challenge, however, is there is no one-size-fits-all approach to passwordless. As it is new to many, companies must evaluate their own fraud and risk priorities before implementing it. Here, one of the most useful things an organisation can do is to develop their software services using accepted standards like SAML and OAuth and OpenID Connect. FIDO2 WebAuthn has also become popular, partly because of its adoption by Apple, Google, and Microsoft as well as the makers of several popular devices, browsers, and operating systems. Once the preparation has been done, a company can then design authentication journeys that balance security and login friction for employees, suppliers and customers. Of course, during rollout, it is critical not to disable existing authentication methods until enough telemetry has been collected to surface emerging issues. You must not go unprotected.

AI is core to the experience. It will enable models to learn about each login attempt and refine every user’s profile. These models already help banks for transactions and identifying whether customers are abroad and now they are helping stop bad actors from gaining access to systems and resources they shouldn’t.

When it comes to fraud, there will always be a weak link – people. To help mitigate against this we need to ensure they’re not relied upon too heavily, meaning passwords should be retired as soon as possible. Attackers use stolen credentials more than phishing or exploiting a vulnerability to access companies, according to Verizon. This alone should be enough to push us towards passwordless.

The identity access management industry is working to put the standards in place so this change can happen quickly and be deployed across a wide range of enterprise and consumer applications. Fraud prevention technology folded into the authentication experience, is the way for organisations to be able to more successfully stop fraudsters’ in their tracks when they’re duping people and companies out of their money and secrets.

The post Why we need to make passwords a thing of the past appeared first on Cybersecurity Insiders.

They’re not that good:

Security researchers Jesse D’Aguanno and Timo Teräs write that, with varying degrees of reverse-engineering and using some external hardware, they were able to fool the Goodix fingerprint sensor in a Dell Inspiron 15, the Synaptic sensor in a Lenovo ThinkPad T14, and the ELAN sensor in one of Microsoft’s own Surface Pro Type Covers. These are just three laptop models from the wide universe of PCs, but one of these three companies usually does make the fingerprint sensor in every laptop we’ve reviewed in the last few years. It’s likely that most Windows PCs with fingerprint readers will be vulnerable to similar exploits.

Details.

Signal has had the ability to manually authenticate another account for years. iMessage is getting it:

The feature is called Contact Key Verification, and it does just what its name says: it lets you add a manual verification step in an iMessage conversation to confirm that the other person is who their device says they are. (SMS conversations lack any reliable method for verification­—sorry, green-bubble friends.) Instead of relying on Apple to verify the other person’s identity using information stored securely on Apple’s servers, you and the other party read a short verification code to each other, either in person or on a phone call. Once you’ve validated the conversation, your devices maintain a chain of trust in which neither you nor the other person has given any private encryption information to each other or Apple. If anything changes in the encryption keys each of you verified, the Messages app will notice and provide an alert or warning.

Compromised credentials stand as the predominant cause of data breaches, underscoring the urgency for organizations to bolster their defenses. It’s crucial to acknowledge that, often, the only barrier separating an attacker from an organization’s most precious resources is the strength and security of its passwords. These compromised passwords not only pose a security risk but also jeopardize regulatory compliance, leading to potential operational and reputational damage.

Enzoic for Active Directory addresses this pressing issue head-on. It enhances initial and ongoing password security to meet compliance standards like NIST 800-63b, thereby mitigating risks and elevating an organization’s overall security stance. This solution review explores how Enzoic serves as a foundational tool for organizations, focusing on an often-underestimated vector of cyber vulnerability.

What negative consequences have organization experienced due to unauthorized access to sensitive data, applications, or systems in the past 12 months? In the State of Authentication Security Report, cybersecurity professionals reported that the reallocation of IT resources for incident response and remediation was the most immediate negative impact (28%), followed by system or service downtime (26%) and increased helpdesk workload (24%).

Enzoic for Active Directory goes beyond traditional password filters and security measures by offering a real-time, dynamic solution for maintaining password integrity within an Active Directory (AD) environment. By integrating directly with your existing AD infrastructure, it offers an additional layer of security that is often missing. What sets it apart is the power of an in-house threat intelligence team backed by machine learning, which continuously updates a massive database of compromised credentials.

Traditional password security solutions, such as Microsoft’s Entra ID, typically focus on enforcing strong password policies at the time of password creation, but they often miss the forest for the trees. The real issue is keeping up with the ever-changing landscape of compromised credentials, and this is where Enzoic shines. Their solutions fills a critical gap by continuously monitoring and validating not just newly set passwords, but also existing ones, thus securing the very foundational layer of your cybersecurity framework. This feature is a prerequisite for meeting leading compliance standards.

KEY FEATURES

Enzoic offers a cutting-edge solution for safeguarding your credentials with a range of exceptional features. Let’s explore how Enzoic stands out with continuous credential security, broad threat intelligence, and a seamless user experience.

1 – Continuous Credential Security: Enzoic sets itself apart by offering continuous screening against a database containing billions of compromised username and password pairs found on the Dark Web. This not only addresses newly created passwords but also identifies and remediates any existing vulnerable passwords that become compromised over time.

2 – Expansive Threat Intelligence: A dedicated in-house threat research team utilizes proprietary, powerful tools to scour the surface internet and Dark Web. This allows Enzoic to capture the most in-depth data sets, making its threat detection one of the most robust in the market. Moreover, this database is continually updated, ensuring that users can remediate swiftly before breaches occur.

3 – Great User Experience: While some solutions add friction at the user and admin level by incorporating more layers of authentication, Enzoic operates invisibly behind the scenes. This not only enables users to select stronger, more secure passwords but also reduces the workload for help desk support.

KEY BENEFITS

Enzoic’s continuous scanning and automated alerting system ensures that compromised or weak passwords are identified in real time. This contributes to a tangible enhancement in the overall security posture, fulfilling both compliance requirements and internal security benchmarks. The real power of Enzoic for Active Directory is in its simplicity and efficiency.

Within minutes of deployment, it starts offering:

• Streamlined Compliance: Companies striving to meet NIST 800-63b, HITRUST, or other leading industry compliance standards can automatically enforce compliance within their environment using Enzoic.

• Proactive ATO Prevention: By continuously monitoring passwords against a live database, Enzoic actively prevents Account Takeover (ATO) attacks, one of the leading causes of data breaches.

• Audit Efficiency: Real-time reports and alerting make it significantly easier to comply with auditing requirements.

• Resource Optimization: By automating the most labor-intensive aspects of password security, IT departments find a significant reduction in the time and resources needed for maintenance.

SOLUTION DELIVERY

The Enzoic solution is offered as a software-based plugin that integrates seamlessly into existing AD Domain Controllers. Optional endpoint agents are also available that provide users with specific instructions during password resets. If a user attempts to set a password that doesn’t meet policy requirements, they are guided on what adjustments need to be made for their password to align with policy, thereby enhancing the user experience and ensuring compliance.

In most cases, Enzoic for Active Directory can be up and running in under an hour, a testament to its userfriendly design. Enzoic for Active Directory operates on a subscription model, including a self-serve option with a free startup plan covering up to 20 users. The subscription cost is directly tied to the number of accounts that need protection. For specific pricing, you can refer to the official pricing page.

FINAL THOUGHTS

In a rapidly evolving cybersecurity landscape, Enzoic for Active Directory offers an agile, robust, and user-friendly solution to the ever-present challenge of compromised credentials. Its standout features like continuous credential security, expansive threat intelligence, and a minimalistic approach to user experience make it a highly recommended choice for any organization looking to fortify its first line of defense—passwords.

ABOUT ENZOIC

Enzoic is an enterprise-focused cybersecurity company committed to preventing account takeover and fraud through threat intelligence monitoring. Organizations can use Enzoic solutions to screen customer and employee accounts for exposed passwords, credentials, and PII to identify accounts at risk and mitigate
unauthorized access.

Learn more about Enzoic at: info@enzoic.com | www.enzoic.com

The post SOLUTION REVIEW: Enzoic for Active Directory appeared first on Cybersecurity Insiders.