All news with #passkeys tag

Sneaky 2FA Kit Adds BitB Pop-ups That Mimic Address Bar

🔒 Push Security says the Sneaky 2FA Phishing-as-a-Service kit now leverages Browser-in-the-Browser (BitB) pop-ups to impersonate Microsoft login pages and conceal malicious URLs. Victims first pass a Cloudflare Turnstile bot check before a fake "Sign in with Microsoft" flow is loaded in an embedded BitB window that exfiltrates credentials and session data. The campaign pairs conditional loading, developer‑tool blocking, obfuscation, and rapid domain rotation; organizations should tighten conditional access and users should avoid unknown links and browser extensions.

Tycoon 2FA Kit Exposes Global Collapse of Legacy MFA

🔐 The Tycoon 2FA phishing kit is a turnkey, scalable Phishing-as-a-Service that automates real-time credential and MFA relay attacks against Microsoft 365 and Gmail. It provisions fake login pages and reverse proxies, intercepts usernames, passwords and session cookies, then proxies the MFA flow so victims unknowingly authenticate attackers. The kit includes obfuscation, compression, bot-filtering, CAPTCHA and debugger checks to evade detection and only reveals full behavior to human targets. Organizations are urged to adopt FIDO2-based, hardware-backed biometric and domain-bound authentication to prevent such relay attacks.

Tycoon 2FA Phishing Kit Undermines Legacy MFA Protections

🔐 Tycoon 2FA is a turnkey phishing kit that automates real-time MFA relays, enabling attackers to capture credentials, session cookies, and live authentication flows for Microsoft 365 and Gmail. It requires no coding skill, includes layered evasion (obfuscation, compression, bot filtering and debugger checks), and proxies MFA prompts so victims unknowingly authenticate attackers. The result undermines SMS, TOTP and push methods and can enable full session takeover. The article urges migration to phishing-resistant FIDO2 hardware and domain-bound biometric authenticators.

Why a Fully Passwordless Enterprise May Remain Elusive

🔒 Enterprises have pursued a passwordless future for more than a decade, yet deployment is stalling as legacy systems, industrial and IoT devices, and custom apps often lack support. A recent RSA report found 90% of organizations face coverage gaps or poor user experience, leaving most firms able to cover only about 75–85% of use cases. Experts warn that enrollment, recovery, and fallback mechanisms frequently reintroduce passwords and expand attack surfaces unless those flows are made as phishing-resistant as logins.

X Tells Security Key Users to Re-enroll by Nov 10, 2025

🔐 X is asking users who registered passkeys or hardware security keys (for example, YubiKey) as their two-factor authentication method to re-enroll their key by November 10, 2025. The company says current key enrollments are tied to the twitter[.]com domain and must be associated with x[.]com before the legacy domain can be retired. Accounts not re-enrolled will be locked until users re-enroll, choose a different 2FA method, or opt out of 2FA.

Fake LastPass inheritance emails used to steal vaults

🔒 LastPass warns customers of a sophisticated phishing campaign that uses fake inheritance emails claiming a family member uploaded a death certificate to request emergency access to a user's vault. The messages include an agent ID and a link that redirects victims to a fraudulent page on lastpassrecovery[.]com where the victim is prompted to enter their master password. In some incidents attackers also called victims while posing as LastPass staff. The campaign, active since mid‑October and attributed to financially motivated group CryptoChameleon (UNC5356), has expanded to target passkeys as well.

Google introduces Recovery Contacts to aid account recovery

🔒 Google is introducing Recovery Contacts, a new account-recovery option that lets you designate trusted friends or family to help regain access if you lose a password or device. When you request help, you share a one-time verification code with your chosen contact; they receive an email or notification and confirm the code to verify it’s really you. Your recovery contact will not have access to your account or personal data. The feature complements passkeys and existing recovery tools and is rolling out now.

Synced Passkeys: Enterprise Risks and Mitigations Guide

🔒 The article warns that deploying synced passkeys introduces enterprise exposure because they inherit risks tied to cloud accounts and recovery processes. It highlights practical attack vectors — including AiTM-based authentication downgrades and malicious browser extensions — that can bypass or capture passkeys. The author recommends mandatory use of device-bound, hardware-backed authenticators and strict enrollment and recovery controls to preserve phishing-resistant access.

13 Cybersecurity Myths Organizations Must Stop Believing

🛡️ This article debunks 13 persistent cybersecurity myths that no longer hold up against rapidly evolving threats such as AI-generated deepfakes and accelerating digitalization. Experts contend that AI augments rather than replaces human analysts, because human context and judgment remain essential. They warn that identity verification, MFA, and buying more tools or people are insufficient without mature operations, automated certificate management, and a defense-in-depth posture tuned for modern attacker behaviors.

Amazon Cognito: Managed vs. Custom Login UI Options

🔒 This post contrasts Amazon Cognito's two primary UI approaches—managed login and a fully custom UI—and outlines feature, security, and operational trade-offs to guide architects and developers. Managed login (offered as a modern branding editor or the Hosted UI classic) offloads hosting, scaling, and maintenance while providing OAuth2 flows, federation with social and OIDC/SAML providers, passwordless options, and CloudTrail action logging. A custom UI gives full control over UX, session management, localization, and supports custom authentication flows via Lambda triggers, but requires development, hosting, and operational responsibility under the AWS Shared Responsibility Model.

Cybersecurity Awareness Month 2025: Move Beyond Passwords

🔐 October's Cybersecurity Awareness Month reminds users that passwords alone no longer provide reliable protection. Adopt MFA wherever possible—prefer authenticator apps or hardware security keys over SMS—and consider emerging passwordless options such as passkeys. Organizations should enforce strong authentication to protect systems, customers and reputation. Watch ESET's video with Tony Anscombe for practical guidance.

Assessing Passkey Security: Benefits and Limitations

🔐 Passkeys replace passwords with public-key cryptography, keeping the private key on the user’s device while services retain only a public key. They prevent phishing, credential stuffing, and brute-force attacks, and are unlocked by local authentication such as biometrics or a PIN. FIDO research and high-profile moves by Microsoft and Aflac highlight improved convenience and reduced support costs, but device dependency, legacy compatibility, and implementation costs remain significant challenges.

AI-powered phishing uses fake CAPTCHA pages to evade

🤖 AI-driven phishing campaigns are increasingly using convincing fake CAPTCHA pages to bypass security filters and trick users into revealing credentials. Trend Micro found these AI-generated pages hosted on developer platforms such as Lovable, Netlify, and Vercel, with activity observed since January and a renewed spike in August. Attackers exploit low-friction hosting, platform credibility, and AI coding assistants to rapidly clone brand-like pages that first present a CAPTCHA, then redirect victims to credential-harvesting forms. Organizations should combine behavioural detection, hosting-provider safeguards, and phishing-resistant authentication to reduce risk.

VoidProxy PhaaS Uses AitM to Steal Microsoft, Google Logins

🔐 Okta has uncovered VoidProxy, a phishing-as-a-service operation that uses Adversary-in-the-Middle techniques to harvest Microsoft and Google credentials, MFA codes, and session tokens. The platform leverages compromised ESP accounts, URL shorteners, multiple redirects, Cloudflare Captcha and Cloudflare Workers to evade detection and hide infrastructure. Victims who enter credentials are proxied through an AitM server that captures session cookies and MFA responses, enabling account takeover. Okta recommends passkeys, security keys, device management, and session binding to mitigate the threat.

Salty2FA Phishing Framework Evades MFA Using Turnstile

🔒 A newly identified phishing-as-a-service called Salty2FA is being used in campaigns that bypass multi-factor authentication by intercepting verification flows and abusing trusted services like Cloudflare Turnstile. Ontinue researchers report the kit uses subdomain rotation, domain-pairing, geo-blocking and dynamic corporate branding to make credential pages appear legitimate. The framework simulates SMS, authenticator apps, push approvals and even hardware-token prompts, routing victims through Turnstile gates to filter automated analysis before harvesting credentials.

Passwordless Authentication: 10 Enterprise Solutions

🔐 Passwordless authentication aims to replace fragile passwords with modern, standards-based alternatives to improve security and usability. The piece stresses the central role of the FIDO Alliance and the emergence of Passkeys as an industry evolution. It compares ten vendors — including Okta, Yubico, HYPR and CyberArk — describing device-based cryptographic keys, biometrics, TPM protection and enterprise integrations. Deployment options range from hardware tokens to managed passkey services and offline, air-gapped support to ease migration.

Google Refutes Claims of Mass Gmail Password Alert

🔔 Google has disputed reports that it issued a blanket warning asking 2.5 billion Gmail users to reset passwords following a recent breach that allegedly affected some Workspace accounts. In a Monday blog post the company called those headlines false and emphasized that Gmail's protections block over 99.9% of phishing and malware. Google advised users to enable two-step verification and adopt passkeys, and it criticized the spread of unverified claims by media and security vendors.

Microsoft launches Secure Future Initiative patterns

🔐 Microsoft announced the launch of the Secure Future Initiative (SFI) patterns and practices, a new library of actionable implementation guidance distilled from the company’s internal security improvements. The initial release includes eight patterns addressing urgent risks such as phishing-resistant MFA, preventing identity lateral movement, removing legacy systems, standardizing secure CI/CD, creating production inventories, rapid anomaly detection and response, log retention standards, and accelerating vulnerability mitigation. Each pattern follows a consistent taxonomy—problem, solution, practical steps, and operational trade-offs—so organizations can adopt modular controls aligned to secure by design, by default, and in operations principles.

Google survey: U.S. consumers report rising online scams

🔒 Google’s latest survey with Morning Consult shows U.S. consumers increasingly aware of online scams and taking new protective steps. Over 60% report an uptick in scams and one-third say they experienced a data breach, with texts and email the most common vectors. The report highlights generational differences in sign-in preferences — older adults rely on passwords while Gen Z favors passkeys and social sign-ins — and recommends Google Password Manager, 2‑Step Verification and modern authentication methods.