undefined | Better HN

0 pointsNoPicklez3y ago0 comments

Using MFA is absolutely a must.

But not using hardware based 2FA doesn't make the IT department, completely negligent or incompetent.

Most companies I know if they are using MFA are using Microsoft Authenticator soft tokens through their enterprise 365 environments.

0 comments

4 comments · 2 top-level

sneak3y ago· 2 in thread

The Reddit hack in question phished the user-input MFA (presumably TOTP) string.

NoPicklezOP3y ago

My point being is that by not having hardware based MFA, but still have a form of soft token MFA doesn't make the IT personnel completely incompetent or negligent.

Not requiring MFA at all and having weak passwords would be an example of that.

sneak3y ago

Then why are they still getting owned via common/routine phishing attacks? Ones that are entirely, cheaply, and easily preventable?

1 more reply

remram3y ago

MFA is extremely vulnerable to fishing, ie. man-in-the-middle. It is pretty useless, hardware token or not. U2F/webauthn mostly fixes that.

j / k navigate · click thread line to collapse