One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8557119 |
| Date de publication | 2024-08-13 10:00:00 (vue: 2024-08-13 17:17:59) |
| Titre | L'état du MFA résistant au phishing The State of Phishing-Resistant MFA |
| Texte | The content of this post is solely the responsibility of the author. LevelBlue does not adopt or endorse any of the views, positions, or information provided by the author in this article. In our increasingly interconnected world, the specter of cybercrime looms larger than ever, casting a shadow over people, businesses, and governments alike. Among the slew of cyber threats bombarding entities daily, phishing attacks are a particularly pernicious menace. With each day, bad actors hone their techniques, leveraging the latest tools and psychological tactics to craft sophisticated phishing campaigns that are clever enough to defy all but the closest scrutiny. As a result, there is a need for heightened awareness, robust cybersecurity measures, and proactive defense strategies. One is phishing-resistant MFA, which is becoming mandatory in many data protection regulations. What is Phishing-Resistant MFA? Recent incidents exploiting gaps in MFA implementations have highlighted that traditional multi-factor authentication is susceptible to phishing and social engineering attacks. For instance, the 2024 Data Threat Report found that of IT professionals, 93% believe security threats are increasing in volume or severity, a significant rise from 47% last year. Moreover, the number of enterprises experiencing ransomware attacks surged by over 27% in the past year. Also, the report revealed that malware, ransomware, and phishing are consistently the largest growth categories for attacks. For multi-factor authentication to be truly effective, it must implement secure methods such as cryptographic keys, biometrics, and device-level security checks that phishing attempts cannot compromise. Moreover, passwordless authentication and a zero-trust approach to authentication and security are crucial. Phishing-resistant MFA depends on public key cryptography, removing the need for shared codes and dramatically lowering the possibility of threat actors intercepting and replaying access codes. Also, phishing-resistant technologies can verify the source and destination\'s authenticity, ensuring that the authentication process can only happen between the intended site and the user\'s device. An Increasingly Stringent Regulatory Landscape In response to escalating cyber threats and failing cybersecurity measures, government cybersecurity agencies worldwide have increased their requirements, advocating for adopting phishing-resistant authentication methods to safeguard sensitive data. For instance, in the US, Presidential Executive Order 14028 and an Office of Management and Budget (OMB) memo mandate using enterprise-managed identities for accessing work applications, explicitly focusing on phishing-resistant MFA to shield employees from sophisticated online attacks. Similarly, in the European Union, ENISA guidelines discourage the use of SMS and voice calls for authentication, urging entities to opt for more secure options such as smart cards and FIDO2 security keys. PSD2, the EU directive for payment services, prioritizes online transaction security through strong customer authentication (SCA), requiring at least two authentication elements among knowledge, possession, and inherence. To combat phishing, PSD2 mandates dynamic authentication methods, like one-time codes, to deter replay attacks. I |
| Notes | ★★★ |
| Envoyé | Oui |
| Condensat | 14028 2024 abovementioned access accessing across actors adopt adopting adoption advocating against agencies aligns alike all almost also among any applications approach are article associate associated attacks attempts authentication authenticity author avoid avoiding awareness bad because becoming believe benefits better between beyond biometric biometrics bodies bolster bombarding bombing brand breach breaches budget building businesses but bypass calls campaigns can cannot cards casting categories checks clever closest code codes combat companies company compliance compromise confidence consistently contactless content conversely core cost costs could craft credibility critical crucial cryptographic cryptography csf cultivate customer customers cyber cyberattacks cybercrime cybersecurity daily damage data day defense defenses defy demonstrate depends deployment destination deter device devices directive discourage does don’t dramatically dynamic each effective effectiveness elements emphasize emphasizing employees encourages endorse engineering enhance enhances enhancing enisa enjoy enough ensuring entering enterprise enterprises entities escalating european ever executive experience experiences experiencing explicitly exploiting factor factors failing falling fido fido2 financial fines fingerprint focus focusing forensics foul found fraud frictionless from gaps government governments growth guessing guidelines happen harder hardware have heightened help helps highlighted hone identities immeasurable impact implement implementations implementing importance importantly incident incidents including increased increasing increasingly individuality industry infinitely information inherence inherently insisting instance integrity intended intercepting interconnected introduce introduces investing involve iris item its key keyboard keys knowledge landscape larger largest last latest lead least legal level levelblue leveraging lies like likelihood login logins looms loss losses lowering loyalty malware managed management mandate mandates mandating mandatory many measures memo menace methods mfa mitigates mobile more moreover moving multi multiple must need negotiable nis2 nist non not number offer office often omb one online only opt options order organizations otps over overall particularly partners passkeys password passwordless passwords past pattern payment penalties people pernicious phishing pins pki platform platforms positions possession possibility post practices presidential prevalent preventing principles prioritizes proactive process processes professionals promote promotes protection protocols provided providers psd2 psychological public push ransomware rapid recent reduce regulations regulators regulatory related relationships reliability relies remediation remembering removing replacing replay replaying replicate report reputation requirements requiring resilience resilient resist resistant response responsibility result revealed rise risk robust safeguard safeguarding same savings sca scan scrutiny seamless sectors secure security sensitive service services severity shadow shared shield shining significant significantly sim similarly simple site slew smart sms social solely solution something sophisticated source specter spotlight standards state steal strategies streamline strengthen stringent strong stronger substantial successful such supported surged susceptible swapping synchronize tactics tangible techniques technologies than theft these threat threats through time token tools traditional transaction transactions trickier truly trust two unauthorized union urging use user users using various verify versions views voice volume what when which without work world worldwide year zero |
| Tags | Ransomware Malware Tool Threat Mobile |
| Stories | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.