Building a world without passwords

Nobody likes passwords. They are inconvenient, insecure, and expensive. In fact, we dislike them so much that weve been busy at work trying to create a world without them a world without passwords. In this blog, we will provide a brief insight into how we at Microsoft think about solving this...

Use of Microsoft Authenticator App to as 2-factor authentication for O365 access using XenMobile

Question - Can we use the Microsoft Authenticator app as a means of 2-factor authentication to secure access to XenMobile integrated O365 environment? Answer - Currently use of Microsoft Authenticator as a means to provide 2-factor authentication is only possible for O365 apps. The security featu...

Two-Factor Authentication: What is it and why do I need it to stay safe online?

Today, Americans are living more and more of their lives on the internet. We shop, bank, socialize, work and play online. But as our digital lives become increasingly important, they are also exposed to greater risks. Hackers are lurking around every corner ready to steal our identities, drain ou...

Ian Dunn: Timing Attack in Google Authenticator - Per User Prompt

Google Authenticator - Per User Prompt contains a timing attack vulnerability in how it validates the application password for a user account. if sha1 $attemptedpasswordplaintext === $validpasswordhash || wpcheckpassword $attemptedpasswordplaintext, $validpasswordhash...

The vulnerability of the gpkcsp.dll authenticator service on the Windows operating system allows a perpetrator to execute arbitrary code.

The vulnerability of the Windows operating system’s smart card authentication service gpkcsp.dll arises due to buffer overflow. Exploiting this vulnerability allows a malicious actor to execute arbitrary code by connecting to a remote desktop...

Microsoft Touts New Phone-Based Login Mechanism

It likely won’t mark the death knell of passwords but Microsoft announced this week its giving users a new way to sign into their accounts without having to enter a lengthy combination of numbers, letters and characters. The feature, which relies on users having access to their mobile phones, is...

Microsoft Authenticator - Dangerous filesystem permissions, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Microsoft Authenticator published at the 'play' market has multiple vulnerabilities...

Ian Dunn: Google Authenticator0.6 - PHP Version Dosclosure

Hello Vulnerable File and Link : http://localhost/wordpress/wp-content/plugins/google-authenticator-per-user-prompt/views/requirements-error.php Vulnerable Link : 8 You're running version Vulnerable Code: Good Luck/...

Ian Dunn: Google Authenticator - Cross Site Scripting

Hello Vulnerable File: : /views/token-prompt.php Vulnerable Link : 15 " / Vulnerable Code: Good Luck/...

Google Authenticator - Exported components, External URLs, Suspicious files vulnerabilities

HackApp vulnerability scanner discovered that application Google Authenticator published at the 'play' market has multiple vulnerabilities...

NIST Recommends SMS Two-Factor Authentication Deprecation

A U.S. government agency said the end is nigh for SMS-based two-factor authentication, citing a lack of security around the feature. The latest draft version of the Digital Authentication Guideline issued this week by the U.S. National Institute for Standards and Technology NIST said the practice...

WordPress Google Authenticator Plugin <= 0.47 - Authentication Bypass

This plugin is prone to a two factor authentication Bypass vulnerability. Attackers with a valid password can bypass the two-factor OTP by using an email address. Solution Upgrade this plugin...

Google Authenticator <= 0.47 - Two Factor Authentication Bypass

WordPress 4.5 introduced the ability to login with an email address instead of a username. Google Authenticator v0.47 wasn't aware of the new feature, and didn't properly handle the case where an email address was used instead of a username. Using an email address would allow an attacker with a...

Falcon System Consulting WisePoint and WisePoint Authenticator Clickjacking Attack Vulnerability

Falcon System Consulting WisePoint and WisePoint Authenticator are products of Falcon System Consulting, Japan. The former is an authentication system, and the latter is a product for enhancing the authentication mechanism of RADIUS protocol-enabled devices, such as SSL-VPN devices. A security...

Code injection

The management screen in Falcon WisePoint 4.3.1 and earlier and WisePoint Authenticator 4.1.19.22 and earlier allows remote attackers to conduct clickjacking attacks via unspecified vectors...

CVE-2016-1177

The management screen in Falcon WisePoint 4.3.1 and earlier and WisePoint Authenticator 4.1.19.22 and earlier allows remote attackers to conduct clickjacking attacks via unspecified vectors...

CVE-2016-1177

The management screen in Falcon WisePoint 4.3.1 and earlier and WisePoint Authenticator 4.1.19.22 and earlier allows remote attackers to conduct clickjacking attacks via unspecified vectors...

CVE-2016-1177

The management screen in Falcon WisePoint 4.3.1 and earlier and WisePoint Authenticator 4.1.19.22 and earlier allows remote attackers to conduct clickjacking attacks via unspecified vectors...

JVN#28480773: WisePoint contains issue in preventing clickjacking attacks

WisePoint contains an issue in the protection against clickjacking attacks on the management screen. Impact If a user views a malicious page while logged in, unintended operations may be conducted. Solution Update the Software Update to the latest version according to the information provided by...

Battle.net Authenticator - Customized SSL, Redefined SSL Common Names verifier, WebView code execution vulnerabilities

HackApp vulnerability scanner discovered that application Battle.net Authenticator published at the 'play' market has multiple vulnerabilities...