identity-security

MFA Isn't the Final Barrier Anymore. It Hasn't Been for a While.

John Z Black Apr 10, 2026

Security Operations & Resilience #mfa #phishing #aitm #fido2 #chrome-dbsc #venom-phaas #unc6783 #infostealers #identity-security

Three research teams this week documented MFA failures at login, at the helpdesk layer, and post-session. The answer isn't more MFA. It's hardware-bound authentication.

Your MFA Isn't Enough. (And Most Places Don't Even Have That.)

John Z Black Mar 29, 2026

Incidents & Breaches #mfa #phishing #oauth #device-code-phishing #microsoft365 #passwordless #azure #authentication #identity-security

A phishing campaign bypassed MFA at 340+ organizations using legitimate OAuth flows, while 76% of companies are still relying on passwords in the first place.