Whether you're logging into your bank, health insurance, or even your email, most services today do not live by passwords alone. Now commonplace, multifactor authentication (MFA) requires users to enter a second or third proof of identity. However, not all forms of MFA are created equal, and the one-time passwords orgs send to your phone have holes so big you could drive a truck through them.

For example, email security shop Abornormal AI documented a recent series of incidents at academic institutions where attackers were able to phish victims into not only entering their usernames and passwords but also the one-time password (OTP) they received from the schools' servers.

Using someone's legitimate account credentials is a much more effective avenue for crims than finding a security hol

See Full Page