One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8337915 |
| Date de publication | 2023-05-19 10:00:00 (vue: 2023-05-19 16:06:25) |
| Titre | MFA 101 résistant au phishing: ce que vous devez savoir Phishing-resistant MFA 101: What you need to know |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. The spread of the remote workforce and the growth of digital transformation has exponentiated the number of login-based attack vectors. While multi-factor authentication (MFA) generally protects against common methods of gaining unauthorized account access, not all multi-factor authentication methods can defend against sophisticated attacks. To achieve full zero-trust access, MFA is being replaced by phishing-resistant MFA and the standards that define it. To give you a complete picture, I have identified key terminology and concepts surrounding phishing-resistant authentication and put them together in this handy glossary. To fully appreciate phishing-resistant MFA, it helps to know the vocabulary. Account takeover Achieving Account Takeover (ATO) means successfully compromising a target account with the intent of committing fraud. The account is fully compromised when the attacker can successfully operate as the user with all the pursuant permissions and access privileges. ATO is often initiated by credential theft and can be done using social engineering techniques (phishing attacks) or by bombarding login pages with bot-based attempts. Phishing attacks Phishing attacks attempt to steal personal data such as login credentials, credit card information, or even money using social engineering techniques. This type of attack is usually launched through e-mail messages, appearing to be sent from a reputable source, with the intention of persuading the user to open a malicious attachment or follow a fraudulent URL. The most targeted types of services are SaaS and webmail platforms, as well as payment services. Phishing attacks create many cascading effects, impacting businesses and individuals in many ways. Man-in-the-Middle (MiTM) attacks NIST defines a Man-in-the-Middle (MiTM) as “an attack in which an attacker is positioned between two communicating parties to intercept and/or alter data traveling between them.” In an authentication context, this would mean “the attacker would be positioned between claimant and verifier, between registrant and Credential Service Provider during enrollment, or between subscriber and Credential Service Provider during authenticator binding.” Authentication NIST defines “digital authentication establishes that a subject attempting to access a digital service is in control of one or more valid authenticators associated with that subject’s digital identity.” For services in which return visits are applicable, successfully authenticating provides reasonable risk-based assurances that the subject accessing the service today is the same subject that accessed the service previously. Authentication establishes confidence that the claimant has possession of one or more authenticators bound to the credential. It does not determine the claimant’s authorizations or access privileges – for example, what they are allowed to do once they have successfully accessed a digital service. 2FA Two-factor authentication, or 2FA, is an authentication method requiring the combination of two different types of factors to access protected resources. The three types of authentication factors are something you know, something you have, and something you are. 2FA improves the Single-Factor Authentication (SFA) login process. It does this by requiring not only a set of credentials based on what you know, such as a pass |
| Notes | ★★ |
| Envoyé | Oui |
| Condensat | “a “an “conquer “digital “number “phishing “so “the “user “where –resistant 101: 14028 2021 2024 2fa ability about accepted access accessed accessing account accounts achieve achieved achieving across adopt advising against agencies agency all alliance allow allowed allowing allows also alter although america’s and/or another any app appearing applicable application applications appreciate approve apps are article artifact artifacts assets associated assurances at&t ato attachment attack attacker attacks attempt attempting attempts authenticate authenticating authentication authentication” authentication: authenticator authenticators author authority authorizations automated available based basis because before behavioral being between binding biometrics biometry bombarding bombing bot bound businesses but button called can card cardholder cards cascading cases cba certain certificate certificates challenge characteristics cisa claimant claimant’s claimed client code collection combination committing common communicating communication complete completing component compromise compromised compromising computer concepts concert confidence confident connected consider considerations constraints consumers containing content context control cost create created credential credentials credit cryptographic cryptography cyber cybersecurity data dedicated defend defense define defines demonstrated deploy derived desired determine device devices different digital does done double during each easier effects elements eliminating embeds enable enables enabling encrypt encryption endorse enforce engineering enisa enrollment enter entering equation establish establishes even example exchange executive experiences experts explains exponentiated facial fact factor factors fast fatigue federal fido fido2 fingerprint follow forces form forms foundational fraud fraudulent from full fully gaining gartner gated generally gesture”: give given global glossaries glossary governed government growth guidance guidelines handy hardware has have help helps higher highlighting house however human identification identified identity immediately impacting implement improve improves include including increasing individuals information infrastructure initiated instead institute intended intent intention intercept intercepting interception issued issuing its key keys know known launched layman’s learn leave level like limit login logins looks mail malicious man manage management many matching maximum may mean means message messages method methods mfa mfa mfa and implementing microsoft middle mitigate mitm mobile money more most multi multiple must need needs networks nist not nothing notification number numbers offer often once one online only open operate operational order organizations organizations’ other otp otps over pages parties party passcodes passkey passkeys password passwordless passwords payment people permissions person personal persuading phishing phone physical picture pin piv pki platform platforms policies pop positioned positions possess possession possible post practical pressing previously private privileges process processes protect protected protects protocol provide provided provider providers provides provisioning public purposes pursuant push put qualified qualify reaches readable reasonable recipient recognition recognized recommendation recommends redirecting reduced registrant registration relation relationship released remote removed replaced reputable request requests required requires requiring research resistant resources responding response responsibility return risk saas safer same sans says second second–factor secrets secure securely security see self sending sent service services set setting several sfa shared sheets sheets implementing should sign signed sim simpler single smart sms social solely something sophisticated source source: spread standard standards states steal stored stron |
| Tags | Vulnerability Cloud |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.