Hello and welcome to the Monday, September 18, 2020,

edition of the Sandstone Storm Center's Stormcast.

My name is Johannes Ulrich and the name is recording from New York City, New York.

Let's start today talking about a breach.

Now, I don't often talk about breaches in this podcast, but sometimes there are very

specific lessons that can be learned from these breaches. And of course, it's always helpful

if companies come forward with some of the details. The breach I'm talking about here was against

a retool, and it certainly was one of the more targeted and

specific breaches. One risk it highlights is that not all multifactor authentication is actually

fishing resistant. Now, I will link to the detailed description and retools blog in the show notes,

so you can read up on all the details.

I don't quite agree with the headline here that, well, when multifactor authentication

isn't actually multifactor authentication, Google Authenticator is by all means multifactor authentication, but it's not fishing

resistant, meaning that if a victim is entering their credentials, their username password,

and one of their one-time passwords from the Google Authenticator into the wrong website.

That website may be able to reuse these credentials, or in this case, the victim actually

gave a one-time password to the attacker over the phone.

This is difficult to sort of fix with training because users often don't quite

understand the implications of giving one of their one-time passwords over the phone versus

entering them into the legitimate website. But a distinction that has to be made. If you're really concerned, if these are

critical internal systems, then Google Authenticator may not be the right solution for you,

but something stronger and fishing resistant, like, for example, pass keys or Fido2,

...