Tell me how this is secure. I log into my computer and a window says “enter your password.” There is no indication of what it’s for (but likely for MS Teams).
I know what it is; I’ve seen it many times. But I really hate blindly entering a password.
Like, how hard would it be to counterfeit this?
Not hard at all. I actually fell for it recently because one of my coworkers got hacked and I was too nosy to just ignore the email they sent out.
Like John said, not difficult at all. The latest nasty adversary-in-the-middle attack is available on GitHub for any noob to use: Standalone man-in-the-middle attack framework used for phishing login credentials along with session cookies, allowing for the bypass of 2-factor authentication There’s a nice write up of it.
Of the security factors, “something that you know” is the easiest to defeat - especially when used alone. Using a hardware token, while being the least convenient and most expensive, is the strongest factor right now. But nothing is bullet-proof. The game will move from stealing credentials to stealing tokens, and the wack-a-mole will continue for awhile.
I would recommend branding your login screen(s).
We get these from Microsoft Teams all the time its obnoxious. Usually if you go to Task Manager you can see the app that initiated the request, but yeah its complete garbage that interface.
Frankly I think apps whose authorization expire should not be allowed to ask you until you try interacting with them … at worst it should give you a notification in the system and then take you to that App physically make you click a “Re Auth” button so that the request is Intentional and Interactive not passive in the background.
Branding doesn’t help the bad guys do branding too, we should really go to an Active / Interactive Request model only where no app can passively re-authenticate without you physically clicking a button. Is it obnoxious? yes… but it would help
Yeah, the smart ones. There’s always a way.
Layered approach and best practices.