#mfa — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #mfa, aggregated by home.social.
-
Salesforce is putting out several important security updates over the next few months.
one of these is relates to multi-factor authentication. Here is a video explaining this more and what it could mean for you.
-
not all heroes wear capes. some of them put timely suggestions on their tags when they go to the dmv.
`USE MFA`
-
Надежный фейс-контроль: как прикрутить MFA к веб-сервису через Nginx и OAuth2 Proxy
Подключить MFA к современному веб-приложению обычно несложно: достаточно подключить SAML или OIDC на стороне самого приложения и включить второй фактор на Identity Provider. Проблемы начинаются там, где сервис не умеет ни в SAML, ни в OIDC, а переписывать его рискованно, дорого или попросту некому. Во многих корпоративных сетях до сих пор живут монолитные legacy-системы, которые лучше не трогать, и кастомные сервисы, давно оставшиеся без активного развития. На такой случай придумана концепция предаутентификации. Она позволяет вынести всю сложную логику проверки прав, работу с токенами и криптографией на внешний контур. По сути, перед приложением устанавливается барьер, который отсекает нелегитимные запросы еще до того, как они дойдут до бэкенда. В этой статье системный инженер Артур Газеев и я, Аскар Добряков, ведущий эксперт направления защиты данных и приложений в
https://habr.com/ru/companies/k2tech/articles/1029280/
#nginx #oauth2proxy #mfa #sso #предаутентификация #auth_request #legacy #информационная_безопасность
-
FLINTA*s stark statt Herrentag 14.05.26
Unter dem Motto 💜FLINTA* stark statt Herrentag💜lädt die feministische, antifaschistische Gruppe Mixed Feminist Action MFA) zu einem besonderen Aktionstag ein. 📅 14.05.2026 ⏰ AB 13 UHR 📍Niklotstraße 💘FLINTA* & friends Es erwartet euch ein viellältiges Angebot mit Raum für Austausch, Kreativität und Empowerment bietet. Das Programm verteilt sich auf das Median sowie dengegenüberliegenden Kiezladen und bietet eine breite Mischung von „Gehirn an“ bis „Gehirn […] -
Are you on the safe side yet? 🛡️
In an era of sophisticated phishing and data breaches, relying on passwords or SMS codes is like locking your front door but leaving the key under the mat. For a robust level of private security, I’ve integrated Yubico Yubikey into my daily routine as the ultimate hardware root of trust.
The true value of "Cold" Security
Hardware authenticators offer unparalleled security. Their physical nature means cryptographic keys are embedded directly, making them impossible to copy, extract, or steal remotely. No physical device, no access. Period.
My "Strict Security" Setup
I’ve minimized my attack surface by removing the weakest links:
1. Phone-Free: I have disabled phone number linkage and SMS authentication wherever possible to eliminate SIM-swapping risks.
2. Passwordless: Where supported, I use FIDO2/WebAuthn. No password means no password can be phished.
3. The Backup Rule: I use a minimum of two keys. My primary key is always with me, and a backup key is hidden in a secure, off-site location.
Hardware-Signed Workflow
I leverage the full multi-protocol potential of the key:
- GPG & Git: I use GPG primarily for signing git commits. When I push code, I am physically "touching" the hardware to sign that digital information.
- PIV/SSH: Secure access to servers without resident private keys on the machine.
- OTP & Static Passwords: Bridges for legacy services.
The Vault Strategy
For passwords and sensitive metadata, I rely on Bitwarden. Access to my vault is strictly locked behind my hardware keys.
> No, I'm not "that paranoid" ... yet. But I do keep an eye on the compromise of central servers. That’s why I’m planning to implement a fully self-hosted, self-controlled vault solution soon.
I’d love to hear your thoughts – what are your favorite self-hosted security stacks?
#CyberSecurity #YubiKey #Bitwarden #Infosec #Privacy #MFA #PGP #SSH #SecurityEngineering #SelfHosted
-
Are you on the safe side yet? 🛡️
In an era of sophisticated phishing and data breaches, relying on passwords or SMS codes is like locking your front door but leaving the key under the mat. For a robust level of private security, I’ve integrated Yubico Yubikey into my daily routine as the ultimate hardware root of trust.
The true value of "Cold" Security
Hardware authenticators offer unparalleled security. Their physical nature means cryptographic keys are embedded directly, making them impossible to copy, extract, or steal remotely. No physical device, no access. Period.
My "Strict Security" Setup
I’ve minimized my attack surface by removing the weakest links:
1. Phone-Free: I have disabled phone number linkage and SMS authentication wherever possible to eliminate SIM-swapping risks.
2. Passwordless: Where supported, I use FIDO2/WebAuthn. No password means no password can be phished.
3. The Backup Rule: I use a minimum of two keys. My primary key is always with me, and a backup key is hidden in a secure, off-site location.
Hardware-Signed Workflow
I leverage the full multi-protocol potential of the key:
- GPG & Git: I use GPG primarily for signing git commits. When I push code, I am physically "touching" the hardware to sign that digital information.
- PIV/SSH: Secure access to servers without resident private keys on the machine.
- OTP & Static Passwords: Bridges for legacy services.
The Vault Strategy
For passwords and sensitive metadata, I rely on Bitwarden. Access to my vault is strictly locked behind my hardware keys.
> No, I'm not "that paranoid" ... yet. But I do keep an eye on the compromise of central servers. That’s why I’m planning to implement a fully self-hosted, self-controlled vault solution soon.
I’d love to hear your thoughts – what are your favorite self-hosted security stacks?
#CyberSecurity #YubiKey #Bitwarden #Infosec #Privacy #MFA #PGP #SSH #SecurityEngineering #SelfHosted
-
Inside a phishing panel
Security researchers gained direct access to Doko's Panel, a real-time phishing platform used in criminal campaigns by ShinyHunters and BlackFile groups. The investigation revealed four distinct infrastructure clusters operating independently customized variants of the tooling. Attacks combine voice phishing with adversary-in-the-middle techniques targeting enterprise identity providers like Okta, Microsoft, and Google, as well as cryptocurrency exchanges. Operators call victims impersonating IT helpdesk staff, directing them to combosquatted domains where credentials and MFA tokens are manually relayed in real-time. Confirmed breaches include SoundCloud (30M records), Match Group (10M records), Betterment (20M records), and Crunchbase. Over 400 domains have been identified linked to these operations. Evidence shows extensive use of AI language models in developing phishing infrastructure, with operators leveraging legitimate services to rapidly deploy and rotate attack infrastructure.
Pulse ID: 6a019872d2134a70b4d8a5bf
Pulse Link: https://otx.alienvault.com/pulse/6a019872d2134a70b4d8a5bf
Pulse Author: AlienVault
Created: 2026-05-11 08:50:58Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#AdversaryInTheMiddle #Cloud #CyberSecurity #Google #InfoSec #MFA #MFATokens #Microsoft #OTX #OpenThreatExchange #Phishing #RAT #bot #cryptocurrency #AlienVault
-
In der laufenden Diskussion um "sichere" Mobile-Betriebssysteme frage ich mich, wieso meine neue Banking-App, die nur auf einem solchen "sicheren" OS läuft, sicherer sein soll, als das gute alte SMS, das sogar mit Dumbpohones funktioniert. In der neuen App brauchts für das Login nichts weiteres als den Geräte-Pin...
#2fa #mfa #passkey #ebanking -
In der laufenden Diskussion um "sichere" Mobile-Betriebssysteme frage ich mich, wieso meine neue Banking-App, die nur auf einem solchen "sicheren" OS läuft, sicherer sein soll, als das gute alte SMS, das sogar mit Dumbpohones funktioniert. In der neuen App brauchts für das Login nichts weiteres als den Geräte-Pin...
#2fa #mfa #passkey #ebanking -
In der laufenden Diskussion um "sichere" Mobile-Betriebssysteme frage ich mich, wieso meine neue Banking-App, die nur auf einem solchen "sicheren" OS läuft, sicherer sein soll, als das gute alte SMS, das sogar mit Dumbpohones funktioniert. In der neuen App brauchts für das Login nichts weiteres als den Geräte-Pin...
#2fa #mfa #passkey #ebanking -
In der laufenden Diskussion um "sichere" Mobile-Betriebssysteme frage ich mich, wieso meine neue Banking-App, die nur auf einem solchen "sicheren" OS läuft, sicherer sein soll, als das gute alte SMS, das sogar mit Dumbpohones funktioniert. In der neuen App brauchts für das Login nichts weiteres als den Geräte-Pin...
#2fa #mfa #passkey #ebanking -
#BostonWeekend Thru 5/29 JAPAN Boston's MFA hosts a bunch of films at the museum. This weekend includes the recent hit Kokuho on Saturday 5/9 (3 hour live action historical drama about #kabuki, highest grossing live action film in Japan ever). https://www.youtube.com/watch?v=Y0KfXj3Skao #Kokuho https://www.mfa.org/series/uniqlo-festival-of-films-from-japan #BostonFilm #BostonAsia #Boston #MFA #MuseumOfFineArts #Japan
-
Düz şifre ‘123456’ hâlâ en popüler! NordPass raporu buna ışık tutuyor. MFA ekek, şifre sızıntısına karşı kanonik koruma sağla. Güçlü şifre, güvenli şifre, MFA! #PasswordSecurity #MFA #CyberSecurity
-
Düz şifre ‘123456’ hâlâ en popüler! NordPass raporu buna ışık tutuyor. MFA ekek, şifre sızıntısına karşı kanonik koruma sağla. Güçlü şifre, güvenli şifre, MFA! #PasswordSecurity #MFA #CyberSecurity
-
Raport Cisco Talos: hakerzy rzadziej szukają luk, a częściej nas samych. AI napędza nową falę phishingu
Cyberprzestępcy idą na łatwiznę – i, co gorsza, to działa.
Zamiast męczyć się ze skomplikowanymi podatnościami technicznymi, coraz częściej wykorzystują sztuczną inteligencję, by w kilka minut stworzyć pułapkę, w którą złapie się żywy człowiek. Najnowszy raport Cisco Talos za pierwszy kwartał 2026 roku pokazuje, że haker rzadziej musi dziś umieć programować, a częściej musi po prostu potrafić napisać dobry prompt.
AI jako „stażysta” w służbie cyberzbrodni
Największą zmianą, jaką odnotowali eksperci, jest radykalne obniżenie progu wejścia do świata cyberprzestępczości. Dzięki narzędziom AI i platformom typu „no-code”, nawet amatorzy mogą generować wiarygodne strony phishingowe w czasie mierzonym w minutach. Cały proces – od stworzenia fałszywego panelu logowania do Outlooka, po automatyczne przesyłanie wykradzionych haseł do arkuszy Google – odbywa się bez napisania ani jednej linijki kodu. To sprawia, że ataki są masowe i wyglądają profesjonalnie jak nigdy wcześniej.
Powrót króla: phishing znów na szczycie
Efekt jest widoczny w liczbach. Po roku przerwy phishing powrócił na pierwsze miejsce jako główny sposób włamywania się do firm, odpowiadając za ponad jedną trzecią wszystkich incydentów. To potężna zmiana warty – jeszcze rok temu hakerzy skupiali się głównie na szukaniu luk w oprogramowaniu (jak słynny ToolShell). Dziś ten wskaźnik drastycznie spadł, bo prościej i taniej jest oszukać pracownika, niż łamać zabezpieczenia serwera. Marcin Klimowski z Cisco Polska mówi wprost: atakujący odchodzą od skomplikowanych technologii na rzecz skalowalnych ataków ukierunkowanych na ludzkie błędy.
MFA przestaje być tarczą niezniszczalną
Raport przynosi też zimny prysznic dla tych, którzy wierzyli, że dwuskładnikowe uwierzytelnianie (MFA) rozwiązuje wszystkie problemy. W aż 35% badanych przypadków hakerzy zdołali ominąć to zabezpieczenie. Robili to m.in. poprzez rejestrowanie własnych urządzeń zaraz po przejęciu hasła lub konfigurowanie poczty tak, by łączyła się bezpośrednio z serwerem, całkowicie omijając warstwę weryfikacji. To jasny sygnał, że samo posiadanie MFA to za mało – trzeba jeszcze pilnować, kto i co do tego systemu podpina.
Administracja i szpitale na celowniku
Kto powinien bać się najbardziej? Dane nie kłamią: administracja publiczna oraz ochrona zdrowia to sektory, w które hakerzy uderzają najchętniej (po 24% wszystkich ataków). Urzędy są celem numer jeden już trzeci kwartał z rzędu, co wynika głównie ze starszej infrastruktury i faktu, że nie mogą sobie pozwolić na przestoje. Co ciekawe, mimo tego naporu, odnotowano spadek skuteczności ransomware. Udział ataków szyfrujących dane spadł do 18%, co jest zasługą coraz sprawniejszej pracy zespołów Incident Response, które coraz częściej wyłapują intruza, zanim ten zdąży „zamknąć” system.
Wnioski dla nas są jasne: w erze AI błędy językowe czy podejrzane grafiki w mailach odchodzą do lamusa. Dziś największym zagrożeniem nie jest dziura w systemie, ale nasza własna pewność siebie i wiara w nieomylność zabezpieczeń, które hakerzy nauczyli się już obchodzić.
#administracjaPubliczna #bezpieczeństwoIT #CiscoTalos #cyberbezpieczeństwo #MFA #ochronaZdrowia #phishing #ransomware #sztucznaInteligencjaKoniec ślepej wiary w chmurę. Cisco buduje cyfrowe twierdze w Europie
-
🔐 Weil "sicher123" trotzdem nicht sicher ist: Denkt dran, heute ist #WeltPasswortTag!
#Passkeys, Mehrfaktor-Authentifizierung #MFA und #Passwortmanager werden zunehmend zum Standard, um Accounts besser vor #Phishing und Diebstahl zu schützen. Schwache oder mehrfach genutzte Passwörter gehören zu den häufigsten Sicherheitsrisiken!
Deshalb nutzt:
✅ starke Passwörter: Je Dienst ein eigenes Passwort
✅Passwortmanager
✅MFA
✅wo möglich auf Passkeys umsteigen -
How Salesforce Will Secure Your Org Against Hackers
Security and convenience are almost always inversely correlated. Making something more secure inherently makes it harder to access, which creates real friction for everyday users. This tension is nothing new. Hackers have always sought unauthorized access to systems, but historically, the barriers were high: computers were expensive and internet access was scarce. This is no longer true.
This battle front has always favored attackers. Security teams must successfully defend against every single intrusion attempt, while hackers only need to succeed once. A single breach can cause significant damage.
What’s changed is the scale and speed of attacks. AI has dramatically lowered the barrier to entry, enabling hackers to probe far more systems, far more frequently than ever before.
Recently, several Salesforce customers experienced significant system breaches involving their Salesforce instances, most notably those tied to the ShinyHunters cybercriminal group. What made these incidents particularly damaging was that the compromised accounts belonged to users with elevated access, including admins and developers. Salesforce denied responsibility and took limited action, largely confining its response to informing and educating the ecosystem about the risks of phishing and vishing attacks.
It seems like that is about to change. Big time.
Salesforce decided to enforce multiple security controls starting June-August 2026 to prevent credential theft, data exfiltration, and account takeovers. IP range restrictions originally planned are no longer being mandated, but MFA for all employee users, phishing-resistant MFA for admins, auto-containment for high-risk connections, and step-up authentication for reports will be enforced.
This means your life is about to get more difficult, especially if you have elevated access typically used by admins, developers and architects.
The New Security Direction by Salesforce
- MFA exemption permission restricted: The “Waive Multifactor Authentication for Exempt Users” permission will be removed except for justified cases (automation/testing users) requiring support approval.
- New permission set required: “Modify Transaction Security Policy” permission set introduced. Users need both the new “Modify Transaction Security Policy” permission AND the existing “Customize Application” permission to manage TSPs. Users with only the Customize Application permission will be downgraded to read-only access for TSPs.
- IP range restriction enforcement removed: The requirement to use IP ranges on profiles and the “enforce login ranges on every request” setting will not be mandated, though strongly recommended for customers who can implement them.
- Staggered rollout approach: Enforcement timelines extended and staggered by instance to minimize customer disruption.
Security Controls Being Enforced
Auto-Containment Measures
High-risk IP blocking was expanded April 24th to include all connected app and API traffic from anonymizing VPNs, proxies, and high-risk IP addresses; users are contained automatically with admin notifications. Extended login anomaly containment applies to all internal user login behavior (excluding external/community users) and focuses on detecting suspicious login patterns. There is no allow-list override, meaning even allow-listed IP addresses will be contained if classified as high-risk at connection time. There are also AWS integration issues under active investigation, with some AWS IP addresses being incorrectly flagged and the issue currently being resolved.
MFA Requirements
All Employee Users:
MFA is required for all employee license users, excluding Experience Cloud and external users. Enforcement is handled via locked settings, so admins cannot disable it. API-only logins are exempt, as the requirement applies exclusively to UI logins. For SSO, providers must pass AMR/ACR signals indicating strong or phishing-resistant MFA.
Timeline: Sandboxes June 22-29; Production July 20-August 17
Admins and Privileged Users:
Phishing-resistant MFA is required for users with elevated privileges, specifically those on the default Sys Admin profile or holding Modify All Data, View All Data, Customize Application, or Author Apex permissions. This standard is stricter than standard MFA, and mobile authenticator apps do not meet the threshold. Only security keys and built-in authenticators or passkeys qualify.
Timeline: Sandboxes June 22-29; Production July 1-27
Email Domain Verification
DKIM or authorized email domain verification is required for all email sending domains (this was previously announced). Enforcement is being rolled out on a staggered timeline; check the timeline knowledge article for the latest dates. A tool is also available to verify compliance status.
Step-Up Authentication for Reports
Time-Based Session Policy:
- Additional authentication required when users spend considerable time on reports.
- Admins can configure the “Require step-up authentication within cool-down period” session-level policy to an exact cadence between 2 and 120 minutes (with 120 minutes being the default); logging in with MFA does not reset timer.
- Verification methods: Users can use any supported MFA method, including Passkeys, Security Keys, Salesforce Authenticator, and third-party TOTP apps. The email and SMS One-Time Password (OTP) options are specifically fallback challenges for Single Sign-On (SSO) users who do not have a Salesforce MFA method registered.
- Report access blocked if authentication fails (UI only, not API).
- Timeline: Available May 27 (sandbox/production); Enforced June 3 (sandbox), June 10-July 4 (production).
Anomalous Behavior Detection:
- ML-based detection triggers authentication when unusual report viewing/downloading behavior detected.
- Users must configure at least one verification method (authenticator app, phone, email) or report access blocked.
- Timeline: Enforced June 22 (sandbox), July 13 (production).
Transaction Security Policy Enhancements (Shield/Event Monitoring customers only):
- Step-up authentication required when downloading >10,000 records from reports.
- Required for any create/update/delete/enable/disable operations on transaction security policies.
- Timeline: Available June 1 (sandbox), June 15 (production); Enforced June 22 (sandbox), July 13 (production).
Additional Considerations
Mobile SDK Lockout Risk for Admins: Warning for admins using the Salesforce Mobile App or custom Mobile SDK apps. Mobile SDK version 13.2.0 and earlier does not support phishing-resistant MFA. Admins using these older versions will be blocked from logging in unless their org pre-configures advanced authentication in My Domain, or until they utilize the new “Login for Admins” browser-based flow arriving in Mobile SDK 13.2.1
Impact on “Waive MFA” Permission: Please note the exact behavior of the “Waive Multi-Factor Authentication for Exempt Users” permission. After enforcement, this permission will no longer automatically waive the MFA requirement; users with this permission will actually be prompted to enroll in MFA in the UI. To restore this exemption for valid testing/automation tools, admins must proactively contact Salesforce Support for approval.
Passwordless Login Recommendation: Please note the best-practice recommendation of enabling “Allow passwordless login with passkeys”. This allows users (especially privileged admins) to meet the strict phishing-resistant MFA requirement by simply logging in with their username and a biometric passkey or security key, bypassing the need for a password and streamlining their experience.
Trial Org Grace Period: Note that Trial Orgs converted to a paid subscription will no longer receive a 30-day grace period to comply with the MFA requirement.
MFA Edge Cases and Exceptions
Experience Cloud and Community users are completely exempt from this specific MFA login mandate. API-only users with the API-only permission assigned are exempt from MFA, as the requirement applies exclusively to UI logins. For Windows SSO, check the AMR field in login history for OIDC, or use the SAML Validator tool for SAML; ignore the strong/weak classification and only verify that the signal is present. Free scratch orgs are not in scope, as MFA enforcement applies only to paid sandbox orgs. When it comes to device activation, MFA takes precedence, and completing MFA exempts users from device activation prompts. Finally, custom IDPs must follow SAML/OIDC industry standards for passing AMR/ACR signals; contact your account team or support for provider-specific nuances.
Customer Communication Plan
Knowledge articles were published, you will find the links in this post. System administrators and security contacts received email notifications on the 6th of May, 2026. Product managers will be hosting webinars on Wednesday, May 13th, with both early and late US time slots available. For the early webinar time, click here. For the later time, click here.
Action Items
- Partners: Review client orgs for current VPN usage and MFA exemption permission assignments; prepare clients for June-August enforcement timelines.
- Admins: Test MFA configurations in sandboxes starting June 22; ensure users have at least one verification method configured (email/SMS/authenticator).
- SSO administrators: Verify AMR/ACR signals are being passed correctly using login history (OIDC) or SAML Validator tool (SAML).
- Shield customers: Review transaction security policies and prepare for step-up authentication on report downloads >10,000 records and policy modifications.
- All customers: Set up DKIM keys or authorized email domains; use in-app verification tool to check compliance.
Don’t Wait for Enforcement to Find Your Gaps
Salesforce’s upcoming security enforcement represents a meaningful shift in how the platform approaches user protection. For years, the responsibility fell almost entirely on customers to configure and maintain their own security posture. That’s changing. Whether you’re an admin, developer, architect, or partner, the June through August enforcement windows are closer than they appear. Audit your orgs, test your configurations in sandbox, and make sure your users are set up with the right verification methods before enforcement kicks in. The friction is real, but so is the risk it’s designed to address. See the official Salesforce documentation here.
Explore related content:
Setup with Agentforce: What Salesforce Admins Need to Know
The Salesforce DKIM Sandbox Problem, and How to Fix It
Clean Data, Smart Flows: Automating Data Cleanup in Salesforce Nonprofit Cloud
#DomainVerification #MFA #Salesforce #SalesforceTutorial #Secutiry #Tutorial -
Microsoft Edge keeps all saved passwords in cleartext in RAM for the entire session, making memory scraping easier for attackers 🖥️
The behavior is “by design,” unlike Chrome, and highlights the risks of storing credentials in browsers instead of using password managers 🔑🔗 https://cybernews.com/security/microsoft-edge-loads-cleartext-passwords-to-memory/
#TechNews #Microsoft #MicrosoftEdge #Edge #Google #Chrome #Browser #Password #CyberSecurity #FOSS #Privacy #Encryption #DigitalSafety #MFA #PasswordManager #Passkeys #Software #InfoSec #Security #RAM
-
Just had to "hack" two (2) #MS365 tenants, due to #Authenticator being completely goosed on my mobile phone, it had never worked 100% after MS forced its use last year (my other colleague with admin access was on holiday and away from UK ) - luckily the way #Microsoft had it previously running was half-arsed enough that I was able to still access user admin page (but not Entra, and security info) which allowed me to escalate an existing user to Global Admin and then use that to reset my own accounts #MFA and then add those back to Authenticator...
-
#BostonWeekend Fri-Sun ART x FLOWERS the MFA has thematically appropriate floral arrangements placed amongst the Artworks. go! https://www.mfa.org/event/special-event/art-in-bloom?event=136606 #BostonArt #flowers #art #MFA
-
📢⚠️ #Bluekit, a new AI-powered phishing-as-a-service kit, lets attackers bypass MFA using #AiTM attacks and stolen session cookies. With 40+ fake templates and AI tools.
Read: https://hackread.com/bluekit-phishing-kit-targets-platforms-mfa-bypass-attack/
-
1CKY - MFA telling us how to pronounce Gestapo in English
-
What is a trustworthy way to extract the secret key from a QRCode for #MFA that only displays the image and offers no way to access the secret as text? I want to avoid shady browser plugins or commands to extract the secret. I need to extract the secret text since I don't see a way to scan the QRCode directly in my #keypassxc
-
🔑 TYPO3 MFA Extensions – Möglichkeiten der Zwei-Faktor-Authentifizierung
Die Multi-Faktor-Authentifizierung (MFA) ist ein Sicherheitsverfahren, das die Identität eines Benutzers durch die Kombination von mindestens zwei verschiedenen Authentifizierungsfaktoren überprüft.
von @ayacoo
-
5 actions cyber pour les PME : sauvegardes, mises à jour, formation, MFA, audit. #CyberSécurité #PME #Tech #Sauvegarde #MFA ... https://www.linkedin.com/posts/gabriel-chandesris_cybersaezcuritaez-pme-tech-share-7452333397819047939-pHF9
-
Two-Factor #Authentication (2FA) typically combines a password with a code, whereas Multi-Factor Authentication (MFA) adds more layers, such as biometrics (fingerprint/face) or hardware tokens. Read MFA vs 2FA: What's the difference https://windowspost.com/2fa-vs-mfa/
Key Differences Between 2FA and MFA
Number of Factors: 2FA limits authentication to two layers (e.g., password + OTP), while MFA can incorporate three or more (e.g., password + OTP + fingerprint).
Security Level: MFA generally provides superior security against sophisticated attacks because it relies on multiple independent factors.
Complexity & UX: 2FA offers a more streamlined user experience with fewer steps. MFA may cause more user friction due to additional login steps, but it enhances security.
Flexibility: MFA offers greater flexibility, allowing organizations to adopt adaptive, risk-based authentication, while 2FA is a fixed two-step process
2FA Example: Entering a password (knowledge) and a code texted to your phone (possession).
MFA Example: Entering a password, a code from an app, and using a biometric scan (fingerprint or face)
#2FA #MFA #security #password #otp #Fingerprint #twostepverification #MFAverification #photochallange #technology #tech #TechGuide #techterms #techarticle
-
Interesting discovery. I activated MFA on my Nextcloud instance.
10 seconds later Webdav and Caldav stopped working in Betterbird. -
2 Factor authenticator app question
I guess I have to look into using a 2FA app at last so...
I am probably late to the party on this, having resisted both Microsoft and Google's offerings up to now. I guess I'm just suspicious of these companies we used to love in the early days.
I've looked at the PCMag review and it seems that their top choice - 2FAS - might fit my requirements. I use both Android (mobile) and Microsoft (laptop, desktop) OS.
https://www.pcmag.com/picks/the-best-authenticator-apps
Has anyone any experience with this app? Any thoughts on it that might be helpful? Use on Windows and/or Android?
Or are there any better ideas?
Cheers!
#EllieKPosts #2FA #authenticatorApp #fediHelp #MFA #encryption #2FAS
-
🧑💻 Built your own MFA system yet?
We just dropped a full walkthrough on how to integrate Google Authenticator into RELIANOID’s MFA portal — with secrets stored in AD or LDAP.
🔐 Based on TOTP
🛡️ Validates tokens post-login
📱 Generates QR codes for new usersIt’s secure, scalable, and open-source-friendly.
📖 Dive in:
#MFA #GoogleAuthenticator #TOTP #SysAdminLife #LDAP #OpenSourceSecurity #LinuxAdmin #TechStack #RELIANOID
-
> There is sunshine and rainbows in our future Hank because strong security is simple security. #Passwords stink. Multiffactor authentication (#MFA) where you type in a code stinks. So really we to be secure we have to take the human out of the equation and that means it'll be easier for us.
-
Фишинг 2025–2026: от социальной инженерии к промышленным конвейерам PhaaS
Современный ландшафт киберугроз демонстрирует окончательную трансформацию фишинга из набора разрозненных мошеннических писем в зрелую сервисную индустрию, функционирующую по канонам легитимного ИТ-бизнеса. Фишинг на протяжении многих лет остается одним из наиболее востребованных способов получения первоначального доступа к корпоративной инфраструктуре, сохраняя свою эффективность вопреки массовому внедрению многофакторной аутентификации (MFA) и инвестициям в антиспам-фильтрацию.
https://habr.com/ru/companies/pt/articles/1020880/
#фишинг #mfa #phaas #парсинг #aitm #dkim #dmark #seg #ocr #вредоносное_по
-
Should something be considered Open Source if cybersecurity features, such as SSO or MFA, are locked behind a paid tier? To me, insecurity by design seems to run counter to the idea of working together for a better world.
#cybersecurity #opensource #mfa #sso -
How To Test And Verify If your YubiKey Is Genuine And Functioning As Designed https://youtu.be/ai8Tmicojt8 #Websplaining #YubiKey #Yubico #YubicoYubiKey #SecurityKey #VerifyYubiKey #Genuine #TestYubiKey #VerifyDevice #2FA #MFA #Authentication #Auth #YubiKeyVerification #Verification
-
How To Test And Verify If your YubiKey Is Genuine And Functioning As Designed https://youtu.be/ai8Tmicojt8 #Websplaining #YubiKey #Yubico #YubicoYubiKey #SecurityKey #VerifyYubiKey #Genuine #TestYubiKey #VerifyDevice #2FA #MFA #Authentication #Auth #YubiKeyVerification #Verification
-
🚨 Entra ID External MFA (old name was External Authentication Methods) is now Generally Available.
Custom Controls is being deprecated on 30 Sept 2026.
Here's how to check your usage.
https://thedxt.ca/2026/03/microsoft-entra-id-external-mfa/
#Entra #MFA #M365 #Microsoft #Microsoft365 #ConditionalAccess
-
ИБ‑гигиена для среднего бизнеса: почему один уволенный стоит дороже годового бюджета на безопасность
Я работаю директором по цифровой трансформации. И каждый раз, когда собираю бюджет, вижу одну и ту же картину: на ИТ денег мало, на ИБ — ещё меньше. При этом требования растут, угрозы множатся, а формулировка от бизнеса : «сделай так, чтобы работало удобно, из любого места и без пароля желательно, ну и не ломалось». Как и многие я ищу идеальную формулу: минимум вложений → максимум защиты . Не «купить всё и сразу», не «внедрить SOC за 10 миллионов в год», а именно базовую базу по ИТ и ИБ, которая закрывает 80% рисков и не требует армии сотрудников для ее поддержания. Эта статья — про то, как за разумные деньги выстроить защиту основывая на собственных ошибках и опыте. С цифрами, с инструментами, с калькулятором. ИБ‑гигиена — это не SOC, не «киберщит» и не магический короб. Это несколько приземлённых вещей: MFA, антивирус, бэкапы, ролевая модель и обучение людей. Всё это стоит сильно дешевле одного серьёзного инцидента.
https://habr.com/ru/articles/1016598/
#soc #infosec #information_security #vm #vulnerability #vulnerability_management #mfa #iam #rbac #idm
-
❤️🖤
👩⚕️❤️🩹
Einer medizinischen Fachangestellten (MFA) wurde nach schwerer Krankheit überraschend fristlos gekündigt und ihr wurde der Großteil ihres letzten Monatslohnes nicht ausgezahlt. Der Arbeitgeber unterließ es zudem, sie auf die Pflicht zur Meldung bei der Agentur für Arbeit hinzuweisen. Da sie über ihre Ansprüche auf Arbeitslosengeld nicht Bescheid wusste geriet sie in finanzielle Schwierigkeiten. Nach einer Beratung und entsprechenden Geltendmachung konnte eine für die betroffene zufriedenstellende außergerichtliche Einigung erzielt werden. Eine Spendensammlung innerhalb unserer Basisgewerkschaft konnte zudem die konkrete Notlage abwenden.💪Solidarität ist unsere Stärke und Klasse!
💯
#freiburg #Arbeitskampf #Solidarität #fau #arbeiter #freiearbeiterinnenunion #mfa #arbeiterInnen #antikapitalismus #Arbeitslosigkeit #Aufenthaltsstatus #Entgeldfortzahlung #fristloseKündigung #gegenseitigeHilfe #Gehalt #Krankheit #lohn #Kündigung #krankschreibung #attest #Gesundheit #arbeitsgericht #lohnfortzahlung #beratung #fundraising #gewerkschaft #arzt #gesundheitswesen #asylbewerberleistungsgesetz #arztpraxis -
❤️🖤
👩⚕️❤️🩹
Einer medizinischen Fachangestellten (MFA) wurde nach schwerer Krankheit überraschend fristlos gekündigt und ihr wurde der Großteil ihres letzten Monatslohnes nicht ausgezahlt. Der Arbeitgeber unterließ es zudem, sie auf die Pflicht zur Meldung bei der Agentur für Arbeit hinzuweisen. Da sie über ihre Ansprüche auf Arbeitslosengeld nicht Bescheid wusste geriet sie in finanzielle Schwierigkeiten. Nach einer Beratung und entsprechenden Geltendmachung konnte eine für die betroffene zufriedenstellende außergerichtliche Einigung erzielt werden. Eine Spendensammlung innerhalb unserer Basisgewerkschaft konnte zudem die konkrete Notlage abwenden.💪Solidarität ist unsere Stärke und Klasse!
💯
#freiburg #Arbeitskampf #Solidarität #fau #arbeiter #freiearbeiterinnenunion #mfa #arbeiterInnen #antikapitalismus #Arbeitslosigkeit #Aufenthaltsstatus #Entgeldfortzahlung #fristloseKündigung #gegenseitigeHilfe #Gehalt #Krankheit #lohn #Kündigung #krankschreibung #attest #Gesundheit #arbeitsgericht #lohnfortzahlung #beratung #fundraising #gewerkschaft #arzt #gesundheitswesen #asylbewerberleistungsgesetz #arztpraxis
