Yesterday I discovered how incredibly easy it is to steal session cookies and steal an account, even if it is protected by 2FA such as TotP, OTP or even push based authentication…. Yes, the initial vector is phishing, but those attacks are getting increasingly sophisticated and hard to detect. If you have high value accounts, and the option is available, use phising resistant second factors - the easiest being a passkey. This capability is built into most modern smartphones and dead easy to set up (though obviously if it is bound to the device it’s hard to use it on a different one, especially if you don’t have access to the device) or, ideally, a FIDO2 hardware key.
This has been your public service infosec announcement for the day.
#infosec #phishing #passkeys