Reading this article, makes me wonder if authenticator apps and sms are going to be a thing of the past. I knew sms was the least 2FA security. Anyone had experiences with yubikeys and the like?

We have a yubikey for our AWS root accounts, it just sits in a safe onsite though, not really used. We're generally still using software for this. Not looking forward to having to get physical keyfobs again

If you read the article, it's really just a sophisticated man-in-the-middle attack.

https://blog.duszynski.eu/phishing-ng-bypassing-2fa-with-modlishka/

He's just setting up a proxy and passing all information back and forth, but capturing data. So it's not really bypassing 2FA in the way the article is implying.

And based on my very limited understanding of hardware 2FA such as yubikeys, not sure they would be safe from this unless they communicate on a completely different channel and not via the website.

I know very little on the topic but anything SMS based just seems ridiculously insecure.

saw em off said:

---

Reading this article, makes me wonder if authenticator apps and sms are going to be a thing of the past. I knew sms was the least 2FA security. Anyone had experiences with yubikeys and the like?

---

Wow, and I thought hardware tokens were a thing of the past - are we going back to 2004?

My last vendor that required a hardware is phasing them out this year.

we use Google authenticator and/or LastPass authenticator for our MFA

Obviously haven't been bitten by sim swap, you are basically backwards sms is now likely one of the least secure

We(docs) have to use a hardware autheticator as well as retyping our password to send controlled substances electronically. DEA requirement.

Mine is a little blue plastic thing called "exostar"