MFA involves more than one of these "factors". Your physical debit card (yes banks have been doing MFA for decades) This is very common and in use everywhere from your debit card pin to your computer. There are three ways to prove you are the owner of a digital asset. That's why many companies are moving to things like Yubikeys. So, although there is risk in having the key always in your laptop, for most people, the risk is much higher if you use an active MFA method. So they don't know they should press the nano key, and the bad guy can't get in because the MFA requirement goes unanswered.
No annoying phone ringing, no prompt flashing. There is no indication that they should click or press anything. But now, instead of an active indicator, like a phone call or prompt on the victim's phone, nothing actually happens for the end user. When the bad guy goes to log in with stolen credentials, Microsoft requires MFA. And if they don't on the first try, they will by the third try, just to make the phone stop ringing or prompting. People press OK or press 1 on the phone because they're used to it. But in real life, it doesn't work out that way. Now, you'd think that most people would ignore it, or even report it, since they didn't do anything to cause that to happen. When the bad guy logs into your account, you get a call or a prompt. So for MFA, many companies use either call to home (where Microsoft calls a number you set up) or push to authenticate (where a prompt comes up on your phone to say it's OK to log on).īoth of these are flawed. So, having MFA means that they now need not only your password, but they need you to enter your MFA as well. So when Linkedin got hacked and the passwords released, a lot of people's Azure accounts were compromised too.
People use their work email address and password all over the place. But that's a low risk scenario in most cases.Ī far more likely scenario (in general) is that someone elsewhere in the world learns someone's username and password through a related hack. And if that person knows your password (and code for the Yubikey), then they're in. Yes, it is possible that your laptop may be stolen and then the key would go with.
0 kommentar(er)
