Chris Merkel 🐀👨🏼‍🍳Dec 30, 2022

Hypothetical case:
An org doesn't have MFA. For reasons only valid in this scenario, they can only do mobile push notifications or security questions*. Which would you choose?

My answer: Given how easy it is to grief people into approving push notifications, I think that they are weaker authenticators than security questions, which require actual per-person research. If well designed, they may not be easy to find through OSINT.

Obviously, FIDO2/WebAuthN is going to be the best answer, but I think that advances in phishing capabilities have reached a point where some forms of "strong" MFA are anything but.

*Yes, I know security questions aren't technically MFA.

Show threadRaddikulus
@chrismerkel I dunno. If someone was forced to respond to a push notification, it would be just as easy to force them to say what high school they attended. Hackers in Russia have nothing but time to figure out the answers to all of those questions, none of them are hard.
I was configuring security questions for a site yesterday, the only one that couldn't be answered by a geneologist was "what is your favorite food". I think they could come up with sushi within 5 guesses.
Dec 31, 2022 at 6:18amWeb
Show threadChris Merkel 🐀👨🏼‍🍳Dec 31, 2022

@Raddikulus Well, in my example, I'm assuming that the questions aren't typical. Perhaps even incredibly private 😃

I'm not sure I agree with the notion that attackers have "nothing but time" - these are well organized businesses and efficiency is just as critical there as it is here. Plus, it's a question of scale - in the time it takes to do the OSINT on one person, you can have a script griefing people with push notifications day and night across hundreds of thousands of accounts.