Awareness - Passwords, Spell Checkers, and MFA

Awareness - Passwords, Spell Checkers, and MFA

Introduction

We like to make you aware of some of the current security vulnerabilities, what you can do and what anDREa is doing to mitigate the risks.

Passwords & Spell Checkers

Spell checkers offered by browsers, but also apps like Grammarly, pose a serious security risk; these applications are found to capture everything, send and receive everything plain text; including passwords.


What you can do (highly recommended):
  1. Disable spelling checkers that work on browser pages
    1. Chrome / Edge / Firefox
      1. Go to settings, type in search: Spelling
      2. Disable
  2. Do not use applications like Grammarly in your browser while typing passwords

What anDREa can do:
  1. At this moment, nothing

MFA

MFA, Multi-Factor Authentication seriously improved the security of your data. However, the 'community' is not sitting idle and is currently exploiting what is known as MFA prompt spamming / MFA fatique.


What you can do (highly recommended):
  1. Only accept MFAs when the application in front of you is requesting it

What anDREa can do:
  1. To be rolled out very soon:
    1. Adding extra context to the MFA request the following information:
      1. Location, the name of the App
  2. In the 'back pocket'
    1. Require number matching (effective, but not a nice user experience)
  3. To be explored (not even known if it is feasible for myDRE)
    1. Passwordless

    • Related Articles

    • Awareness - MFA: number matching, location and additional context

      The Microsoft Authenticator app will enforce number matching starting February 27th 2023 in response to MFA fatique attacks. anDREa has already enabled location and additional context, number matching will follow soon. Activation date to be decided, ...

    • Awareness - MFA: number matching, location and additional context

      TL;DR: The Microsoft Authenticator app will enforce number matching starting February 27th 2023 in response to MFA fatigue attacks. anDREa has already enabled location and additional context, number matching will follow soon. Activation date to be ...

    • I forgot my password / MFA on a new phone

      Introduction To be able to log in to myDRE you will need an @mydre.org username, your password and multifactor authentication (MFA). Together, these provide your identity on the platform. However, at some point you might forget your password or you ...

    • Awareness - MFA protects but make sure the site is okay

      version: 2022-04-14 Introduction MFA is a good way to protect against hackers, but on Tuesday, Microsoft detailed an ongoing large-scale phishing campaign that can hijack user accounts when they're protected with MFA designed to prevent such ...

    • Awareness - Malicious code packages in repositories

      anDREa B.V. takes information security very seriously. We recently engaged in the ISO 27001 certification process. Moreover, we are subscribed to several security news feeds. As a result, we will post awareness articles from time to time with ...