[ad_1]
Passkeys are currently the authentication tool of choice for security pros, but any type of account protection is better than nothing, says Trend Micro VP of Strategy Eric Skinner. Yes, even SMS-based multi-factor authentication (MFA).”Text-based SMS MFA is relatively straightforward, and almost everybody has a phone,” Skinner told me at the RSA Conference in San Francisco. And while it’s “technically hackable” thanks to SIM-swapping schemes, “security folks may overreact.”He pointed out that SIM-swapping requires a focus on a specific victim and a social engineering attack on the carrier. “It takes some effort.””Luckily, a new technology is gaining ground,” said Skinner. “My message is, use passkeys wherever they’re available. Enterprise hasn’t adopted them, but consumers have the chance.” Passkeys are FIDO2-compatible, meaning they can use common devices to authenticate and are more convenient than hardware security keys.Attacker-in-the-MiddleAs for what passkeys and MFA guard against, Skinner pointed to a rise in what’s known as “attacker-in-the-middle” attacks. “It does not require skill. The code is published, downloadable from GitHub,” he said. “You can get kits.”In 2018, we covered an early version of the attack, which starts with a phishing email. Now, with the help of generative AI, “attackers are able to write much better emails” that convince people to click and log in, said Skinner. “They can be perfect.”
Recommended by Our Editors
When the fake website receives the user’s credentials, it passes them along to the real site. This generates the text-based MFA message, as usual. But when the victim types in the code, the attacker captures it and uses it to log in. Skinner confirmed this would also work with an authenticator app or even with a physical token that displays a changing code.I asked how the fake website could escape the notice of Trend Micro’s antivirus or a similar product, and Skinner said the fake version runs on a server somewhere, with no presence on your local machine. “We’re tired of seeing people get his with these attacks,” said Skinner. To avoid getting caught up in this yourself, we have explainers on how to set up passkeys on your Amazon, Apple, and Google accounts.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
[ad_2]