Hello and welcome to the Wednesday, September 17, 2025 edition of the Sands and then at Storm Center's StormCast.

My name is Johannes Ulrich, recording today from Jacksonville, Florida.

And this episode is brought to you by the Sands.edu graduate certificate program in cyber security engineering.

Well, we have today a little bit of different diary, not so far our usual deep technical diary, but something a little bit lighter from a technical point of view, but still very, very important.

And that's the idea of fishing-resistant authentication. A lot of the fishing advice given

these days doesn't really sort of consider that really well. And authentication is very focused

on multi-factor authentication, which is a good thing, but it does often not protect against

fishing. So the idea of fishing-resistant authentication is that the user is no longer in charge

what credentials to provide to a particular website. Whenever you have any scheme where the user decides what credentials

to provide, the user could be fooled into providing those credentials to the wrong websites,

and then you have tools like Evil EngineX and such that allow these machine-the-middle attacks

that will take those credentials, retrieve a session ID from the application

the user is attempting to connect to, and with that the attacker is authenticated. So that has to be

avoided. You must remove the ability from the user to provide the credentials to the wrong website.

An initial start, and that's probably the simplest way to get started, but far from perfect,

is a password manager.

Password managers tend to be pretty good in setting up the right credentials for the right

websites.

They have been born abilities in the past and password managers,

but for the most part, they get that right.

They get it better, typically, than a user would.

The ultimate fix is really something like certificates,

...