From https://redmondmag.com/Articles/2024/10/22/Microsoft-Tweaks-Authenticator.aspx:
❞
Compliance with the FIPS 140 means organizations that use Authenticator meet the requirements of the Biden administration's Executive Order 14028, which requires government agencies to use phishing-resistant authentications.
❝
That is total nonsense. FIPS 140 is about cryptography, which -definitely in this case- has nothing to do with phishing resistance.
In fact, the original article (https://techcommunity.microsoft.com/t5/microsoft-entra-blog/the-latest-enhancements-in-microsoft-authenticator/ba-p/4078807) does not make that mix-up.
Unless software checks whether https is used and the domain name shown in de browser's address bar is correct, MFA is *not* phishing resistant.
npub10cc4e57l0uychrjjw44u0rzwad0f9zne9dtsw27ja3xu9r8xeywszpvsm5 (npub10cc…vsm5)
#TOTP #NumberMatching #MFA #2FA #Weak2FA #WeakMFA #OTP #MicrosoftAuthenticator
Erik van Straten /
npub1yz…ql3r7
2024-10-29 22:10:29
in reply to nevent1q…m2w7
Author Public Key
npub1yzfshvmugq4nd4jhwve7hhwqzvvt7g9g23sharz5f5wdvg65r92qhql3r7Published at
2024-10-29 22:10:29Event JSON
{
"id": "60732baf93a8382f19872ab9d527c890814279c5e53317d7d838dbc2d5aaa659",
"pubkey": "20930bb37c402b36d6577333ebddc01318bf20a854617e8c544d1cd623541954",
"created_at": 1730239829,
"kind": 1,
"tags": [
[
"p",
"7e315cd3df7f098b8e52756bc78c4eeb5e928a792b57072bd2ec4dc28ce6c91d",
"wss://nostr.sprovoost.nl"
],
[
"p",
"8d60a280ed19deb0aa60e2e07d352ebd415c2ca062bc6fd23a03db9e15cf89d8",
"wss://nostr.sprovoost.nl"
],
[
"e",
"a54a185c228c13b20d2b1c8ad0db29e630bf07e59952069bacc87fcac9b37019",
"wss://nostr.sprovoost.nl",
"reply"
],
[
"t",
"totp"
],
[
"t",
"numbermatching"
],
[
"t",
"mfa"
],
[
"t",
"2fa"
],
[
"t",
"weak2fa"
],
[
"t",
"weakmfa"
],
[
"t",
"otp"
],
[
"t",
"MicrosoftAuthenticator"
],
[
"proxy",
"https://infosec.exchange/users/ErikvanStraten/statuses/113392997447416480",
"activitypub"
]
],
"content": "From https://redmondmag.com/Articles/2024/10/22/Microsoft-Tweaks-Authenticator.aspx:\n❞\nCompliance with the FIPS 140 means organizations that use Authenticator meet the requirements of the Biden administration's Executive Order 14028, which requires government agencies to use phishing-resistant authentications.\n❝\n\nThat is total nonsense. FIPS 140 is about cryptography, which -definitely in this case- has nothing to do with phishing resistance.\n\nIn fact, the original article (https://techcommunity.microsoft.com/t5/microsoft-entra-blog/the-latest-enhancements-in-microsoft-authenticator/ba-p/4078807) does not make that mix-up.\n\nUnless software checks whether https is used and the domain name shown in de browser's address bar is correct, MFA is *not* phishing resistant.\n\nnostr:npub10cc4e57l0uychrjjw44u0rzwad0f9zne9dtsw27ja3xu9r8xeywszpvsm5 \n\n#TOTP #NumberMatching #MFA #2FA #Weak2FA #WeakMFA #OTP #MicrosoftAuthenticator",
"sig": "b83b11a2b39fa7c086c0022f11f9f7512a93ad1d223c301dd44788c3ec944a032ef042d3d0e538f9d1b2f23522003b995d309acd3a83ac92332d0f5149b6ea55"
}