DEV Community: yanix Yanix

The Password is Dead. Long Live the Password? A Look at FIDO2, Passkeys, and the Post-SMS Future

yanix Yanix — Sun, 05 Oct 2025 10:56:17 +0000

If you've ever frantically reset a forgotten password or waited for an SMS code that never arrived, you've felt the cracks in the digital foundation of our modern identity. For decades, the combination of a username, password, and SMS-based two-factor authentication (2FA) has been the de facto standard for securing our online lives. But this trinity is crumbling under the weight of its own flaws.

Passwords are a user-experience nightmare—hard to remember, easy to phish. SMS 2FA, while better than nothing, is vulnerable to SIM-swapping attacks and interception. It's clear: we need a better way. The good news? The future of authentication is already here. It’s more secure, and remarkably, it’s also simpler.

Let's dive into the technologies poised to finally retire the password: FIDO2/WebAuthn and Passkeys.

Why SMS Authentication is on its Way Out
Before we look forward, it's crucial to understand why we're moving away from the familiar. SMS (Short Message Service) for 2FA has one major advantage: universality. Almost every phone can receive a text. However, its security drawbacks are fatal for high-value targets:

SIM Swapping: A social engineering attack where a fraudulator convinces your mobile carrier to port your number to a new SIM card they control, intercepting all your SMS codes.

SS7 Network Vulnerabilities: The signaling system (SS7) that controls the global phone network has known exploits, allowing attackers to redirect SMS messages.

Interception: Malware on your phone can simply read your incoming messages.

Inconvenience: It requires cell service, which isn't always available, especially when traveling.

SMS was designed for communication, not security. Relying on it as a security cornerstone is a fundamental mistake.

FIDO2 & WebAuthn: The Foundation of a Passwordless Future
The FIDO (Fast Identity Online) Alliance, a consortium of tech giants like Google, Microsoft, Apple, and others, has been working on the solution. Their answer is a set of open, standards-based protocols that make phishing-resistant authentication possible.

Think of FIDO2 as the umbrella term. Under it, you have two main components:

WebAuthn (Web Authentication): A W3C standard web API. This is what allows a website or application to integrate passwordless authentication directly into a browser or platform. It's the "how" for developers.

CTAP (Client to Authenticator Protocol): The protocol that allows an external authenticator (like a security key or your phone) to communicate with your computer or browser.

How it works (The Magic, Simplified):

Instead of a shared secret (your password stored on a server), FIDO2 uses public-key cryptography.

Registration: When you sign up for a service using FIDO2:

Your device (e.g., a YubiKey or your phone) creates a new cryptographic key pair: one private key (stored securely on your device) and one public key.

The public key is sent to the website's server. The private key never leaves your device.

Authentication: When you next log in:

The website sends a "challenge" (a random string) to your browser.

You unlock your authenticator (with a biometric or PIN).

Your device uses its private key to sign the challenge.

The signed challenge is sent back to the server.

The server verifies the signature using your stored public key.

Why this is revolutionary:

Phish-Proof: The signature is unique to the website's domain. If you're tricked into entering your credentials on evil-site.com, the signature won't work. The attack fails.

No Shared Secrets: Servers only store public keys. A data breach at the website reveals no credentials that can be used to impersonate you elsewhere.

User-Friendly: No more memorizing passwords. You authenticate with a touch or a glance.

Passkeys: FIDO2 Goes Mainstream
FIDO2 was powerful but had a adoption hurdle: you often needed a separate physical security key. Passkeys are the next evolution, designed for mass consumption.

A passkey is essentially a FIDO2 credential that is synced across your devices using a cloud account (iCloud Keychain, Google Password Manager, Windows Hello) and is backed up securely.

javascript
// Example WebAuthn Registration Call (Conceptual)
navigator.credentials.create({
publicKey: {
challenge: new Uint8Array([/* random data from server /]),
rp: { name: "Example Website" },
user: {
id: new Uint8Array([/ user identifier */]),
name: "user@example.com",
displayName: "User"
},
pubKeyCredParams: [{ type: "public-key", alg: -7 }] // ES256 algorithm
}
}).then(function(newCredential) {
// Send newCredential to the server for registration
}).catch(function(error) {
console.error("Registration failed", error);
});
Key Advantages of Passkeys:

Seamless Syncing: Your keys are available on your laptop, phone, and tablet.

Cross-Platform: Efforts are underway (led by Apple, Google, and Microsoft) to allow passkeys created on one ecosystem (e.g., Android) to be used on a competitor's platform (e.g., macOS).

Easy Recovery: Since they are backed up, losing a device doesn't mean being locked out of your life.

Built-in Two Factors: The possession of the private key (something you have) is unlocked by your biometric (something you are). It's multi-factor authentication in a single step.

Using a passkey feels like magic: you just click "Sign in with a passkey," get a biometric prompt on your phone, and you're in—securely.

What's Next? The Invisible Future of Authentication
So, what comes after Passkeys? The trend is moving towards making authentication completely invisible and context-aware.

Behavioral Biometrics & Continuous Authentication: Instead of a single login point, systems will continuously verify your identity based on how you interact with your device: your typing rhythm, mouse movements, walking gait (from phone sensors), and even app usage patterns. A significant deviation would trigger a step-up authentication.

Device Mesh as Identity: Your personal cluster of trusted devices—your watch, phone, laptop, earbuds—will form a secure, implicit authentication network. Proximity to these devices could grant access to your computer or even physical spaces without any active input.

Decentralized Identity (DID) & Self-Sovereign Identity: This is the paradigm shift. Instead of logging into a site with credentials they store, you would present a verifiable credential from a digital wallet you control. You own and manage your identity, choosing what information to share without relying on a central authority (like Google or Facebook) to vouch for you. The FIDO2 model of private keys staying on your device is a foundational step towards this future.

Conclusion: A Phishing-Resistant Future is Inevitable
The transition from passwords to a passwordless world is no longer a question of "if" but "when." The standards (FIDO2/WebAuthn) are mature, and the user-friendly implementation (Passkeys) is being rolled out by every major platform.

What should you do today?

As a User: Start using Passkeys where they are offered (e.g., Google, Apple, Microsoft accounts, GitHub, Cloudflare, etc.). Embrace the convenience and massive security upgrade.

As a Developer: Integrate the WebAuthn API into your applications. It's the single biggest step you can take to protect your users from account takeover and reduce the support burden of password resets.

SMS had a good run, but its time as a security tool is over. The future is cryptographic, phishing-resistant, and beautifully simple. The password is dead. Long live the passkey, more information is BFD.CARDS

In the Crosshairs: A Deep Dive into the MGM Resorts Cyber Attack - A Masterclass in Social Engineering

yanix Yanix — Sun, 05 Oct 2025 10:55:02 +0000

We often imagine sophisticated cyber attacks as complex sequences of zero-day exploits and advanced malware. But sometimes, the most devastating breaches are executed not by exploiting code, but by exploiting human psychology. The September 2023 attack on MGM Resorts International is a stark, modern reminder of this fact. It wasn't a fancy new payload that brought the global hospitality giant to its knees; it was a 10-minute phone call.

This article breaks down the attack chain, not to shame the victim, but to provide a crucial learning opportunity for IT security professionals, DevOps engineers, and company leadership. By understanding how it happened, we can all build better defenses.

The Attack Chain: A Phased Breakdown
The group behind the attack, Scattered Spider (also known as UNC3944), executed a near-flawless social engineering operation. Let's map it to a simplified Cyber Kill Chain.

Phase 1: Reconnaissance & Weaponization
The attackers didn't start blind. They likely spent weeks profiling their target on professional networks like LinkedIn.

Goal: Identify key personnel in the IT Help Desk department.

Method: They gathered names, positions, and likely even learned about internal procedures and lingo. This information was their weapon.

Phase 2: Delivery & Exploitation (The "Vishing" Call)
This was the critical pivot point. The attackers placed a call to the MGM Help Desk.

The Lie: The attacker impersonated an employee who needed a password reset.

The Bypass: When the help desk agent asked for multi-factor authentication (MFA) approval, the attacker claimed they couldn't access their authenticator app. They then convinced the agent to simply issue a new one.

The Exploit: This simple request exploited a critical vulnerability: the lack of rigorous verification protocols at the help desk level. The human firewall was bypassed.

Phase 3: Installation & Command & Control (C2)
With access to a legitimate employee's credentials and MFA token, the attackers were inside.

Lateral Movement: They didn't need to deploy malware immediately. They used valid credentials to navigate the network, seeking higher levels of access.

Persistence: They eventually gained access to MGM's privileged access management (PAM) solution, like CyberArk or BeyondTrust, and/or their Azure AD environment. This gave them the keys to the kingdom.

Phase 4: Actions on Objectives: The "Big Game Hunt"
Their goal was financial gain through extortion, a classic ransomware playbook.

Data Exfiltration: They located and began siphoning off sensitive customer data (SSNs, driver's licenses, etc.) to use as leverage.

System Compromise: They deployed ransomware to encrypt systems, but the real damage was already done through the initial access and data theft.

Operational Shutdown: The attack crippled MGM's operations. Slot machines, reservation systems, and hotel keycard systems failed. The estimated financial impact soared into the hundreds of millions.

The Technical Heart of the Issue: It's Not About the Tech
The most chilling aspect of this attack is that MGM likely had millions of dollars worth of security technology in place: firewalls, EDR, SIEM systems. Yet, all of it was rendered useless because the attack circumvented technology entirely.

The flaw was in the process and the human element.

bash

This is what the attackers DIDN'T have to do.

They didn't need to craft a complex exploit.

./metasploit_framework -x "exploit/windows/smb/ms17_010_eternalblue"

Instead, their "exploit" was a social script:

"Hi, this is John from Accounting. I'm locked out of my account and I can't get my MFA to work. I have a deadline on this report for the CFO. Can you please just reset it for me?"
The Critical Failure Points:

Inadequate Help Desk Verification: The procedure for verifying an employee's identity before performing a high-impact action like an MFA reset was insufficient. A callback to a manager's known number or verifying via a separate channel was missing.

Over-Reliance on MFA as a Silver Bullet: MFA is fantastic, but it's not infallible. "MFA Fatigue" attacks are common, and this "MFA Reset" social engineering is another variant. Organizations must protect the enrollment and reset processes just as fiercely as the login process itself.

** Lack of Zero-Trust Principles:** A core tenet of Zero Trust is "never trust, always verify." The network was seemingly designed with an implicit trust that anyone with valid credentials inside was legitimate. There was likely insufficient segmentation between a standard user's network and critical infrastructure like hotel operations.

The Blueprint for Defense: Practical Lessons for Every Company
This incident is a textbook case from which we can extract actionable defense strategies.

Harden Your Human Firewall (Help Desk Procedures) Your help desk is a primary attack vector. Implement strict identity verification protocols:

Pre-established Questions: Employees should set up personal verification questions (e.g., "What was the name of your first manager?") that are not easily found on social media.

Out-of-Band Verification: The help desk must call the employee back on a pre-verified phone number from the HR file to confirm any credential or MFA reset request.

Mandatory Training: Regular, simulated phishing and vishing tests for all employees, especially help desk staff, are non-negotiable.

Implement Modern MFA and Identity Protection

Phishing-Resistant MFA: Move away from SMS and push notifications. Mandate the use of FIDO2 security keys or WebAuthn-based authenticators that require physical interaction and are immune to these social engineering and MFA-fatigue attacks.

Conditional Access Policies (CAP): In cloud environments (Azure AD, Okta), enforce CAPs that restrict access based on device compliance, network location, and user risk level. A login from a new device in a foreign country right after a password reset should trigger a block and an alert.

Architect for Resilience (Assume Breach)

Network Segmentation: Critical operational technology (OT) systems—like those controlling building access, slot machines, or industrial controls—must be on isolated networks with strictly controlled access gates. A breach in the corporate IT network should not be able to jump to the OT network.

Privileged Access Management (PAM): Secure, monitor, and manage access to administrative accounts. Require additional approvals and justification for accessing the most critical systems.

Robust Monitoring: Ensure your SIEM/SOC is tuned to detect anomalous activity following a help desk event, such as a user account accessing systems they never have before or accessing file shares at an unusual volume.

Conclusion: The Threat is Human, So is the Solution
The MGM breach wasn't a failure of technology; it was a failure of process. It highlights that our security strategies must evolve to defend against the manipulation of human nature, not just the exploitation of software bugs.

The most effective security investment you can make today might not be a new firewall, but a comprehensive review of your help desk procedures and company-wide security awareness training. In the modern threat landscape, every employee is a security sensor, and every process is a potential defense layer. Let's learn from MGM's incident to ensure our organizations aren't the next ones in the crosshairs, More info for BFD.CARDS

Your Smart Home is Betraying You: How to Secure IoT Devices (Cameras, Speakers, Kettles)

yanix Yanix — Sun, 05 Oct 2025 10:53:21 +0000

You bought that smart plug for convenience, the camera for security, and the speaker for fun. But what if that very camera became a peephole for a stranger? What if that speaker was listening not just for "Hey Google," but for your credit card details? This isn't a plot for a dystopian movie; it's the daily reality of poorly secured Internet of Things (IoT) devices.

The problem isn't that IoT is inherently bad. The problem is that these devices are designed for low cost and easy setup, not security. They are the weakest link in your home network, and once compromised, they can be used as a springboard to attack your laptop, your phone, and your data.

This article is a practical guide. We won't just scare you; we'll give you a concrete, actionable blueprint to lock down your smart home and reclaim your privacy.

Why Your Fridge is a Security Risk: The Anatomy of an IoT Threat
Most IoT attacks are not personal; they're automated. Bots constantly scan the internet for vulnerable devices. Their goals are:

Enlisting in a Botnet: Your smart TV could be used to launch a DDoS attack against a major website.

Data Theft: Sensors can gather data on your habits, your voice, and your movements.

Ransomware: Smart locks or thermostats could be held hostage.

Network Pivoting: Once inside through a weak device, attackers can move laterally to your more valuable computers.

The attack vectors are often laughably simple:

Default Passwords: The most common sin. Thousands of devices are online with admin/admin credentials.

Outdated Software: IoT devices rarely update automatically, and vendors quickly abandon support.

Unencrypted Communication: Data sent from the device to the cloud can be spied on.

Vulnerable Services: Open ports (like Telnet or SSH) with weak authentication are a welcome mat for hackers.

Your IoT Security Action Plan: 7 Practical Steps
You don't need to be a network engineer to implement these steps. Start with #1 and work your way down.

*1. * The Golden Rule: Change Default Passentials!
Before you do anything else, give every device a unique, strong password. This single action blocks a huge percentage of automated attacks. Use a password manager to generate and store these complex passwords.

*2. * Isolate the Threat: Create a Guest Wi-Fi Network
This is the most effective single step you can take. Your main Wi-Fi network should be for trusted devices: computers, phones, and tablets. All your IoT devices should live on a separate guest network.

Why it works: Guest networks are designed to isolate devices from each other and from your main network. If your smart kettle gets hacked, the attacker cannot see or communicate with your laptop where you do your online banking.

Most modern routers have this feature built-in. It's often under "Wireless Settings" or "Guest Zone." Ensure the "Allow guests to access my local network" option is UNCHECKED.

*3. * Digital Hygiene: Keep Firmware Updated
Enable automatic updates if the option exists. Periodically check the manufacturer's app or website for firmware updates. If you buy a device from a company known for abandoning security support, think twice. This is a big issue with cheap, no-name brands.

*4. * Principle of Least Privilege: Disable Unnecessary Features
Does your smart camera need remote access when you're at home? Does it need to have UPnP (Universal Plug and Play) enabled, which can automatically open ports on your router? Go through each device's settings and turn off every feature you don't explicitly need. Less functionality often means a smaller attack surface.

*5. * Audit and Inventory: Know What's on Your Network
You can't secure what you don't know about. Use tools to see every device connected to your Wi-Fi. Your router's admin page often has a list. More advanced tools like Fing (a mobile app) or nmap (a command-line tool) can give you more details.

bash

A basic nmap scan to discover devices on your network

Replace 192.168.1.0/24 with your network subnet (find it in your router settings)

nmap -sn 192.168.1.0/24

This will list all active IP addresses and their MAC addresses.

You can then research any device you don't recognize.

*6. * Secure the Gateway: Harden Your Router
Your router is the gatekeeper of your entire home network.

Change its default admin password.

Disable remote administration (so you can only configure it from inside your network).

Ensure its firmware is also up to date. This is critically important.

*7. * Think Before You Buy: Security as a Feature
Next time you buy a smart device, research its security posture.

Does the vendor have a good track record of updates?

Does it support modern security standards?

Does it require a cloud account for basic functionality, or can it run locally? Local-only devices (e.g., using Zigbee or Z-Wave with a local hub) are often more private.

Beyond the Basics: For the Prosumer
If you're comfortable with more advanced configurations, consider these steps:

Set up a VLAN: For advanced users with prosumer/enterprise gear (e.g., Ubiquiti, MikroTik). A VLAN is a more robust way to segment your network than a simple guest Wi-Fi.

Use a Pi-hole: This network-level ad blocker can also act as a DNS sinkhole, preventing your IoT devices from "phoning home" to malicious or tracking domains.

Firewall Rules: Create explicit firewall rules on your router to block all inbound internet traffic to your IoT devices. They should only be allowed to initiate outbound connections.

Conclusion: From Smart Home to Secure Home
Securing your IoT ecosystem isn't a one-time task; it's an ongoing process. It's about shifting your mindset from simply adding convenience to managing risk.

By following this blueprint—segmenting your network, changing defaults, and staying updated—you transform your smart home from a vulnerable liability into a truly secure and convenient sanctuary. Don't let your convenience come at the cost of your security. Take control today.

Your turn: What's the most surprising thing you found on your network after doing an audit? Share your stories in the comments from BFD.CARDS

How to Prepare and Run a Training Phishing Test for Employees Without Demotivating Them

yanix Yanix — Wed, 01 Oct 2025 20:00:39 +0000

The click-rate metric flashes on your screen: 35%. A wave of frustration washes over you. Despite all the policies and annual training, over a third of your employees just fell for your simulated phishing email. The classic response? A stern company-wide reminder, mandatory re-training for the "clickers," and perhaps even naming and shaming.

This approach is not just ineffective; it's harmful. It breeds resentment, fear, and a culture where employees hide their mistakes. The goal of a phishing simulation isn't to catch people failing—it's to teach them how to succeed. This article outlines a strategy for building a phishing training program that empowers your employees instead of punishing them, turning your human layer from a liability into your strongest asset.

The Philosophy: Shift from Compliance to Education
Before you send a single test email, you must reframe the entire purpose of the exercise.

The Wrong Mindset: "We need to find out who the weak links are and force them to comply."

The Right Mindset: "We are creating a continuous learning environment where it's safe to practice and fail in a controlled setting. Every click is a learning opportunity."

Your employees are not a security problem to be solved; they are your first line of defense. Treat them as such.

Phase 1: Preparation and Strategy – Laying the Foundation
A successful program is built long before the "Send" button is pressed.

Get Leadership Buy-In and Communicate Transparently

Why: If the CEO and leadership team are onboard and participating openly, it signals that this is a priority for the entire company, not just a "gotcha" tactic from IT.

How: Announce the program before it starts. Explain the why: "We are launching a continuous security awareness program to help all of us better protect our company and each other from real threats. This includes periodic simulated exercises."

Define Clear, Positive Goals What does success look like? Avoid vanity metrics like "lower click-rate" as the primary goal.

Primary Goal: Increase the number of employees who report suspicious emails (even if they are simulated).

Secondary Goal: Create a culture of shared vigilance where employees discuss and question unusual emails.

Choose the Right Tool and Scenarios

Start Easy: Your first campaign should not be an advanced, polymorphic masterpiece. Use a classic, well-known template (e.g., a fake DocuSign request, a fake password expiration notice). The goal of the first test is to introduce the concept and give people an early win.

Gradually Increase Difficulty: As the program matures, introduce more sophisticated lures that mimic current real-world threats, like vendor impersonation or QR code phishing ("quishing").

Ensure a Safe Landing Page: When someone clicks, they should never see a giant "YOU FAILED!" message. Instead, redirect them to a friendly, immediate teaching moment.

Phase 2: Execution – The "Teaching Moment" in Action
This is the most critical phase. The user's experience the moment they interact with the test defines the entire program's tone.

The Ideal User Journey:

Employee receives a realistic-looking phishing email.

Employee is suspicious and reports it using your established reporting tool (e.g., the "Report Phish" button in Outlook). → This is a major win! They should receive immediate positive reinforcement.

Employee clicks the link. They are redirected to a short, engaging landing page.

The landing page does NOT say "You failed." It says: "This was a simulated phishing test. Good job being cautious! Here’s one tip on what to look for in a similar real email..." It then provides a 60-second micro-lesson with a screenshot of the email and a highlighted red flag (e.g., the sender's address, the urgent language).

The lesson is skippable. Respect their time. The goal is awareness, not forced detention.

html

<!DOCTYPE html>

Security Awareness Training
body { font-family: Arial, sans-serif; text-align: center; padding: 50px; }

🛡️ Phishing Simulation Exercise

This was a test email from the [Your Company] Security Team.

You've helped us practice our defenses. Thank you!

🔍 What to look for:

The sender's address was 'support@security-department.com' instead of our official '@yourcompany.com' domain.

Dismiss | Learn more about phishing

Phase 3: Post-Test Analysis and Follow-Up – Building a Culture
The work doesn't stop after the simulation ends. This is where culture is built.

Analyze the Data, Not to Punish, but to Teach

Look for departments with higher click rates. This indicates a need for targeted support, not reprimand.

Identify trends: Are people falling for a specific type of lure? This data should inform your next company-wide security communication.

Provide Positive Reinforcement and Share Stories

Company-Wide Email: "Last week, we ran a phishing simulation. We want to give a huge shout-out to the 65% of you who reported the email correctly! For those who interacted with it, you've already completed a short training. Let's aim for 70% next time!"

Celebrate Reporters: Consider small rewards (e.g., public recognition, company swag) for employees who consistently report phishing attempts, both simulated and real.

Offer Optional, Engaging Training

Mandatory, hour-long training modules are often seen as a punishment. Instead, offer short, voluntary "Lunch & Learn" sessions or provide a library of engaging, short video content.

Focus on empowerment: Frame it as "Learn how to protect yourself and your family at home too."

Integrate Reporting into Daily Life

Make reporting real phishing emails dead simple. The "Report Phish" button is essential.

When someone reports a real phishing email, thank them publicly (anonymously if they prefer) and use it as a real-world example for the entire company.

A Note on Tools and Automation (The "How")
While the strategy is key, you need tools to execute it. Many Security Awareness and Phishing Simulation platforms exist (e.g., KnowBe4, Cofense, Proofpoint Security Awareness). When evaluating, ensure they support:

Positive, immediate landing pages that you can customize.

Easy reporting integration (e.g., an Outlook add-in).

Detailed analytics that focus on reporting rates and trends, not just shaming clickers.

A library of templates and micro-training videos.

You can also build a simple simulator with internal tools.

python

A highly simplified conceptual example of a phishing test tracker

This is NOT a production-ready script.

import sqlite3
from datetime import datetime

class PhishingCampaign:
def init(self, campaign_name, target_group):
self.campaign_name = campaign_name
self.target_group = target_group
self.sent_date = datetime.now()
self.results = [] # List to store user, action (click/report), timestamp

def record_action(self, user_email, action):

    """Record a user's action (click or report)"""

    result = {

        'user': user_email,

        'action': action,  # e.g., 'clicked', 'reported'

        'timestamp': datetime.now()

    }

    self.results.append(result)

    print(f"Recorded: {user_email} - {action}")

Simulate

campaign = PhishingCampaign("Q1 Vendor Impersonation Test", "all_employees")
campaign.record_action("anna@company.com", "reported") # This is a win!
campaign.record_action("john@company.com", "clicked") # This is a training opportunity
Conclusion: Your Employees Are Your Allies
The difference between a demotivating phishing test and an empowering one boils down to respect and intent. Are you testing your employees to catch them, or are you training them to protect themselves and the company?

By fostering a blame-free culture of continuous learning, you transform security from a top-down enforcement chore into a shared responsibility. You will not only see your metrics improve but also build a resilient human firewall that is engaged, vigilant, and proud to be your first line of defense. Remember, the goal isn't a perfect score; it's a more secure organization. More info for bfd.cards