InvestorsHub Logo
Boards
News
Market Data
Markets
Discover
Discover
Subscribe Login/Register
S&P 500
5,468.76
(
0.38%
)
US TECH 100
19,169.20
(
1.11%
)
Dow Jones
39,119.44
(
-0.74%
)
Brent Oil
84.19
(
-1.27%
)
Bitcoin
61,903.96
(
2.72%
)
Post# of 249148
Next 10
Reply Private New
Public Reply Private Reply New Post
Keep Last Read
Keep Next 10 Report Keyboard Shortcuts
Next 10 Prev Next

Genz2

Send PM Follow Ignore
Followers 5
Posts 2784
Boards Moderated 0
Alias Born 09/06/2006

Genz2

Re: None

Monday, 06/08/2020 6:29:36 PM

Monday, June 08, 2020 6:29:36 PM

Post# of 249148
OAuth Attacks Bypass MFA Protection

https://www.infosecurity-magazine.com/infosec/oauth-attacks-bypass-mfa/

Whenever a phishing attack hits the headlines, the advice is always the same: train your employees to be suspicious, and use multi-factor authentication (MFA), followed by a mandatory discussion of how passwords aren’t enough to guarantee security anymore. This is generally good advice, but don’t be lulled into a false sense of security: MFA isn’t watertight, and two stories surfaced in May to prove it.

Many online services today have turned their back on repeated password entry, instead u’ing OAuth. This is an authorization mechanism that lets one site interact with another on your behalf, and it’s commonly used to sign into third party websites.

For example, a site supporting Google-based logins offers a ‘sign in with Google’ option that redirects you to Google’s sign-in screen if you’re not already signed into your Google account. It’s a way of enabling you to sign up for a service without filling out a new username and password form.

After you’ve signed into your Google account, the search giant returns you to the third party site with a request token. The third party site then shows that token to Google, which grants it an access token that lets it access the information you’ve authorized it to see in your account (in this case, your email address, to confirm that you’re signing in with your Google account). This token gives the site access to that information for a limited time, at which point you’ll have to repeat the process.

Google allows people to protect their accounts with MFA using its authenticator app, which protects this third party relationship too. Someone trying to sign into the third party site using your Google account would need your phone to complete the sign-in.

Please see the rest of the article at the above link.
==================================================================
Use a better MFA solution in Wave VSC 2.0!! Wave VSC 2.0 wouldn't have the problems outlined in this article!!!
==================================================================
https://www.wavesys.com/

https://www.wavesys.com/contact-information

https://www.wavesys.com/products/wave-virtual-smart-card

https://www.wavesys.com/products/embassy%C2%AE-remote-administration-server-tpm-management










Public Reply Private Reply New Post
Keep Last Read
Keep Last Read Next 10 Report Keyboard Shortcuts
Next 10 Prev Next

Join the InvestorsHub Community

Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.

Sign Up