All news with #fido2 tag

🛡️ AiTM phishing evades credential theft by intercepting session tokens after legitimate logins, rendering stronger passwords and many MFA approaches insufficient on their own. While FIDO2 and passkeys reduce exposure at the authentication step, session cookies remain bearer tokens that can be replayed. The article recommends three practical controls—bind sessions to managed devices, monitor post-authentication anomalies, and shorten high-value session lifetimes—combined with targeted user guidance to stop attackers from exploiting captured sessions.

🔐The UK National Cyber Security Centre now recommends offering passkeys as the default authentication option for consumer accounts, saying passwords are "no longer resilient enough" for modern threats. The agency highlights that FIDO2-based passkeys rely on device-bound cryptographic keys and local verification (biometrics or PINs), making them resistant to phishing and credential reuse. Where passkeys are not yet supported it advises using password managers and strong multi-factor verification, and warns organisations to secure account recovery and fallback processes.

🔐 Authentication is breaking at critical front lines because a fragmented mix of cards, readers, middleware and identity platforms rarely interoperate under real-world pressure. This brittle stack allows downgrades, fallback paths and patch regressions to undermine even passwordless and FIDO2 deployments, producing outages and safety risks in healthcare, government and aerospace. The article outlines three architectural shifts — modular secure elements, reader‑agnostic middleware and a unified credential ecosystem — and a five-point CISO action plan to remove weak fallbacks, require downgrade transparency, harden patching, embed interoperability in contracts and run constrained high‑value pilots.

🔐 The IAM market is shifting from traditional login and MFA toward treating identity as a security control plane, driven by demand for phishing-resistant authentication and stronger governance for non-human accounts. Buyers are prioritizing FIDO2/passkeys, biometrics, and controls for service accounts, API keys, and AI agents. Regulatory change, managed services, and vendor consolidation are reshaping architectures and procurement decisions.

🔐 Microsoft is introducing passkey support in Microsoft Entra for Windows, enabling phishing-resistant, passwordless sign-ins via Windows Hello. The opt-in feature enters public preview worldwide from mid‑March through late April 2026, with government clouds (GCC, GCC High, DoD) following mid‑April through mid‑May. Passkeys are device-bound, stored in the Windows Hello container, and never transmitted over the network, preventing credential theft and MFA bypass. IT administrators must enable the Passkeys (FIDO2) authentication method, create a passkey profile including the required Windows Hello AAGUIDs, and assign the profile to appropriate groups to enroll devices.

🔐 Bitwarden now supports logging into Windows 11 using passkeys stored in the Bitwarden vault, enabling phishing‑resistant, passwordless sign-in across devices. The capability is available on all plans, including the free tier, and uses a QR scan and mobile confirmation to release a vault‑stored Entra ID passkey. Required: Entra ID–joined devices, FIDO2 sign‑in enabled, and a registered Entra ID passkey in the vault. Microsoft will roll out the Windows support this month, subject to Entra configuration.

🔐 FalconID is now generally available, delivering phishing‑resistant, FIDO2-based authentication built into the Falcon sensor and delivered via the Falcon for Mobile app. It replaces passwords, push notifications and one‑time codes with biometric, device‑bound verification and cryptographic domain binding. Authentication decisions are driven by real‑time identity, endpoint and SaaS telemetry to minimize friction while blocking credential abuse. For legacy apps, FalconID offers secure indirect authentication, and when paired with SGNL it enables continuous, risk‑based authorization across environments.

🔐 Password-based authentication is increasingly replaced by passkeys—FIDO2/WebAuthn-backed credentials that store private keys on devices and typically meet AAL2/AAL3 assurance per NIST SP 800-63B. This article explains how organizations can adopt passkeys while remaining compliant with ISO/IEC 27001, mapping changes to Annex A controls (Access Control, Authentication Information, Secure Authentication) and documenting risk treatment. It highlights benefits, common risks such as device loss and downgrade attacks, and practical migration steps for enterprise deployment.

🔐 Mandiant is tracking a notable expansion of ShinyHunters-branded extortion campaigns that use evolved vishing and victim-branded credential harvesting to compromise SSO credentials and enroll unauthorized devices into corporate MFA. These intrusions exploit social engineering — not product vulnerabilities — to pivot into cloud SaaS environments and perform bulk exports and administrative abuse. The post provides prioritized containment, hardening, logging, and detection guidance, and urges adoption of phishing-resistant MFA such as FIDO2 security keys and passkeys.

🔎 Mandiant and Google GTIG observed an expansion of ShinyHunters-style campaigns using sophisticated vishing and victim-branded credential harvesting sites to steal SSO credentials and MFA codes. Compromised accounts were used to access a broadening set of cloud SaaS applications to locate confidential documents and PII for extortion. Activity attributed to clusters UNC6661, UNC6671, and UNC6240 includes harassment, DDoS, and Limewire-hosted proof samples. Organizations should adopt phishing-resistant MFA such as FIDO2 or passkeys and follow published hardening and detection guidance.

🔒 Microsoft warned that FIDO2 security keys may prompt users to create or enter a PIN after Windows updates beginning with the September 29, 2025 KB5065789 preview. This behavior affects devices running Windows 11 24H2 or 25H2 when a Relying Party or identity provider requests User Verification set to preferred. Microsoft says the change is intentional to align with the WebAuthn specification, which requires PIN setup when authenticators support user verification. Organizations that want to avoid PIN prompts can set user verification to discouraged in their WebAuthn settings.

🔐 The Tycoon 2FA phishing kit is a turnkey, scalable Phishing-as-a-Service that automates real-time credential and MFA relay attacks against Microsoft 365 and Gmail. It provisions fake login pages and reverse proxies, intercepts usernames, passwords and session cookies, then proxies the MFA flow so victims unknowingly authenticate attackers. The kit includes obfuscation, compression, bot-filtering, CAPTCHA and debugger checks to evade detection and only reveals full behavior to human targets. Organizations are urged to adopt FIDO2-based, hardware-backed biometric and domain-bound authentication to prevent such relay attacks.

🔐 Tycoon 2FA is a turnkey phishing kit that automates real-time MFA relays, enabling attackers to capture credentials, session cookies, and live authentication flows for Microsoft 365 and Gmail. It requires no coding skill, includes layered evasion (obfuscation, compression, bot filtering and debugger checks), and proxies MFA prompts so victims unknowingly authenticate attackers. The result undermines SMS, TOTP and push methods and can enable full session takeover. The article urges migration to phishing-resistant FIDO2 hardware and domain-bound biometric authenticators.

🔐 Microsoft has added native Windows 11 support for third-party passkey managers, beginning with 1Password and Bitwarden. Introduced in the November 2025 security update, the platform-level passkey API lets Windows generate a cryptographic key pair while storing the private key in the chosen manager, and uses Windows Hello (PIN or biometric) to verify logins. Microsoft also integrated its Microsoft Password Manager from Edge into Windows so users can pick their preferred manager. The change aims to improve portability, phishing resistance, and ease of passwordless authentication across devices.

🔐 Computer-using agents (CUAs) — AI systems that perceive screens and act like humans — are poised to scale phishing and credential-stuffing attacks by automating UI interactions, adapting to layout changes, and bypassing anti-bot defenses. Organizations should move beyond passwords and shared-secret MFA to device-bound, cryptographic authentication such as FIDO2 passkeys and PKI-based certificates to reduce large-scale compromise. SaaS vendors must integrate with identity platforms that support phishing-resistant credentials to strengthen overall security.

🔒 WhatsApp is rolling out passkey-encrypted chat backups on iOS and Android, allowing users to secure backups with biometrics or a device screen lock instead of a password. Passkeys rely on a device-generated private/public key pair so the private key never leaves the device, reducing exposure to credential theft. Users can enable the feature under Settings > Chats > Chat backup > End-to-end encrypted backup. Meta has begun a global rollout that will reach users over the coming weeks and months.

🛡️ Organizations face an identity crisis as generative AI and vast troves of breached personal data enable realistic digital doppelgangers. Attackers now automate hyper-personalized phishing, smishing and vishing, clone voices, and run coordinated multi-channel campaigns that reference real colleagues and recent projects. The article urges a shift to “never trust, always verify,” with radical visibility, rapid detection and phishing-resistant authentication such as FIDO2. It also warns of emerging agentic AI and recommends strict least-privilege controls plus continuous red-teaming.

🔐 X is asking users who rely on passkeys or hardware security keys (for example, YubiKeys) to re-enroll their devices for two-factor authentication by November 10 or face account lockout. The requirement stems from X’s migration from the twitter.com domain to x.com, as existing keys are tied to the old domain. Users should visit x.com/settings/account/login_verification/security_keys to disable and then re-add keys; a password confirmation is required. Re-enrolled keys will be associated with the x.com domain and will continue to work after the migration.

🔐 X is asking users who registered passkeys or hardware security keys (for example, YubiKey) as their two-factor authentication method to re-enroll their key by November 10, 2025. The company says current key enrollments are tied to the twitter[.]com domain and must be associated with x[.]com before the legacy domain can be retired. Accounts not re-enrolled will be locked until users re-enroll, choose a different 2FA method, or opt out of 2FA.

🔐 Passkeys replace passwords with public-key cryptography, keeping the private key on the user’s device while services retain only a public key. They prevent phishing, credential stuffing, and brute-force attacks, and are unlocked by local authentication such as biometrics or a PIN. FIDO research and high-profile moves by Microsoft and Aflac highlight improved convenience and reduced support costs, but device dependency, legacy compatibility, and implementation costs remain significant challenges.