All articles tagged with #fido2
The article argues that enterprises should migrate from password-based authentication to passkeys (FIDO2/WebAuthn) to strengthen security and stay compliant with ISO/IEC 27001, detailing how passkeys work, which controls they map to, practical migration steps, risk considerations (device loss, downgrade attacks), and best practices for phased rollout and documentation, with Passwork offering migration support.
PoisonSeed threat actors are bypassing FIDO2 security keys by exploiting the cross-device sign-in feature in WebAuthn, tricking users into approving login requests from fake portals. This attack does not exploit a flaw in FIDO2 but abuses a legitimate feature, prompting organizations to implement additional security measures such as geographic restrictions and Bluetooth authentication. The attack highlights evolving methods to circumvent phishing-resistant authentication systems.
Google has released two new versions of its Titan Security Key, featuring USB-C and USB-A connections, as well as NFC support. These keys are compatible with FIDO2 and can serve as two-factor authentication security for various online accounts. With the ability to hold over 250 unique passkeys, they offer a passwordless solution that goes beyond traditional two-factor technologies by using cryptography to verify the legitimacy of the key and protect against phishing attacks. Users can authenticate by connecting the key and verifying with a PIN, eliminating the need for passwords.
Google's September system updates include improvements to Android's support for the FIDO2 security standard, with the addition of PIN Protocol for added security. Google Wallet will also receive minor enhancements, such as new email preference settings and improved card management in Japan. The Play Store will introduce a new settings page to simplify survey choices.
Google has announced the release of the first implementation of quantum-resistant encryption for FIDO2 security keys, which provide secure logins to websites without passwords. The implementation combines the elliptic curve digital signature algorithm (ECDSA) with a post-quantum algorithm called Dilithium. This hybrid approach aims to protect against future quantum attacks while also relying on the battle-tested ECDSA algorithm. The implementation is small enough to run on security keys' constrained hardware and offers improved signature speed. Google hopes to see this implementation standardized and supported by major web browsers to protect users' credentials against quantum attacks.
Google has released the first open-source quantum-resilient FIDO2 security key implementation, using a unique ECC/Dilithium hybrid signature schema. As quantum computing advances, traditional public key cryptography becomes vulnerable to quantum attacks. To address this, Google combined the ECDSA algorithm with the Dilithium algorithm to create a hybrid signature approach. The implementation, developed by Google engineers, is compact and high-performing, making it suitable for security keys. Google hopes that this proposal will become a new standard supported by major web browsers, emphasizing the need for next-gen cryptography at an internet scale.
Criminals are using software that sells for as little as $300 to deploy phishing campaigns that can bypass some forms of multi-factor authentication (MFA), including those that use time-based one-time passwords (TOTPs). The software, which is responsible for more than 1 million malicious emails each day, uses a technique known as adversary in the middle (AitM) to place a phishing site between the targeted user and the site they are trying to log in to. The most effective barrier to account takeovers is MFA based on the industry standard known as FIDO2.