Food for thought if you use passwords + 2FA/MFA (and who doesn't :-)

TMSG

The MFA You Trust Is Lying to You – and Here's How Attackers Exploit It

A bit OTT but an interesting read. I fully agree that SMS/text is (or should be) dead -- I avoid organisations which still use that. But I am not convinced that 2FA/MFA is yet on its last leg although it's clearly not a solution for the future. Alas, as long as the passkeys crowd doesn't get the interoperability solved in an easy and reliable manner, I don't really see much choice.

Vitor

The article is sponsored by Token, a vendor selling biometric FIDO2 devices. It exaggerates legacy MFA’s weaknesses to promote Token’s products, ignoring that MFA effectiveness depends on implementation, user training, and layered security, not just hardware

RumRat

Vitor said:

The article is sponsored by Token, a vendor selling biometric FIDO2 devices. It exaggerates legacy MFA’s weaknesses to promote Token’s products, ignoring that MFA effectiveness depends on implementation, user training, and layered security, not just hardware

With a good dose of common sense.....

TMSG

Oh sure, the proposed two Token methods are not why posted this (I didn't even mention them in my OP).
The point is more that I've been (and still am) trying hard to get people onto non-SMS 2FA/MFA where possible and also looking for cases where an account was "hacked" despite a strong password and 2FA/MFA. So far, at least in my relatively small circle of people there's been no such case but apparently this happens more often than I (probably naively?) assumed.
2FA/MFA clearly can't be the final word, not least because it offers no protection at all against perfectly replicated phishing sites. This automatic protection is one of the passkeys features I really like. Unfortunately, passkeys have other problems though I readily accept that most will, in due course, be rectified.

Vitor

I'm experiencing more bank's web sites showing a QR code after inputting username. You open the mobile banking app using a biometric, which then uses the phone’s camera to scan the QR code. The app communicates back to the bank, which logs you in on the desktop automatically.

It's a clever system based on the same principles as Passkeys but more comprehensible to Joe User, while is resistent to phishing 

I tried the full-fat solutoin of FIDO2 keys (the one Google sells) but the annoyance factor was off the scale!

jshm2

Basically another Yubico clone. 

There is no such thing as absolute security. MFA and 2FA can be compromised by many methods. You can even buy the devices on Amazon.

Hence it's always good cybersecurity practice to not rely on any one solution for everything 

TMSG

jshm2 said:

There is no such thing as absolute security. MFA and 2FA can be compromised by many methods. You can even buy the devices on Amazon.

Of course and I didn't imply there is.
Also, I do not understand what you mean with "buy the devices on Amazon".

forgotmyname

Does not matter what 2FA you use whether it's a text or an app, the problem is the user.

Scammers will say there is a problem and do not use the fingerprint option or whatever and that they need
to request a code instead where they then share the code with the scammers.

TMSG

forgotmyname said:

Does not matter what 2FA you use whether it's a text or an app, the problem is the user.

Agreed. The two main entry routes (short of zero-day exploits which are rare) are social engineering and lazy system admins/users who can't be bothered to fix known vulns (and web masters who lazily load required JS libraries or similar from third-party sites not under their control... the source of many web hacks).
And social engineering is probably a bigger problem for end users than fixing known vulns as this is normally taken care of by the OS provider.