top of page
  • OCM Engineers

Hackers Can Bypass MFA! Protect Your Cloud with Passkeys

Most businesses rely on cloud-based productivity suites like Microsoft 365 or Google Workspace. These services store a treasure trove of critical business data, making them prime targets for cybercriminals.

The Scale of the Cloud Security Challenge

Unauthourised access to a cloud account

Traditional Protection Measures – Essential, But Not Enough

1. Strong, Unique Password

  • Avoid Common Words or Patterns: Dictionary words and simple patterns are easily cracked.

  • Length Matters: Aim for at least 12 characters.

  • Unique for Each Account: Never reuse passwords across different services.

  • Consider a Password Manager: Helps generate and store complex passwords.

2. Enable Multi-Factor Authentication (MFA)

  • Adds an Extra Layer: Requires an additional verification method beyond your password (e.g., code sent to your phone, authenticator app, or a fingerprint).

  • Makes Account Takeovers Harder: Significantly reduces the risk of unauthorised access even if your password is compromised.

3. Conditional Access Policies

  • Enforce Additional Conditions: Go beyond simple password + MFA. Restrict logins based on:

  • Location (block logins from unexpected countries)

  • Device health (block risky or unmanaged devices)

  • User risk level (elevate authentication if suspicious behavior is detected)

If you require assistance on hardening your Microsoft 365 or Google Workspace deployments, we are here to help.

4. Security Awareness Training

Image of phishing web addresses v legit addresses

5. Regular Security Updates

  • Patches: Install updates for applications and all operating systems promptly. These often address known vulnerabilities.

Additional Recommended Measures

  • Least Privilege Access: Grant users only the minimum permissions they need for their roles.

  • Enforce Security Policies across all your user accounts for mandatory enforcement.

  • Managed Endpoint Protection and Cloud Account Protection : OCM's Security Operations Centre offers 24/7 monitoring of your endpoint and access to you cloud accounts, taking immediate remedial actions if a breach is detected.

  • Data Backup: Implement robust backup plans to protect your data in case of a security incident. We offer backup solutions and disaster recovery options.

  • Use Chrome Browser with the new safe search real time protection enabled .

The Threat That Bypasses Your MFA : Cookie Hijacking

What is Cookie Hijacking?

Imagine a cookie as a little crumb of data left behind by a website you visit. These cookies hold information about your login session, making it easier to stay logged in when you revisit the site. However, malicious actors can steal these cookies and use them to impersonate you on the website, accessing sensitive data or performing unauthorised actions.

Here's a breakdown of cookie hijacking:

1. Logging In:  You visit a legitimate website (like your bank) and enter your login credentials. The website verifies your identity and creates a cookie containing a session ID or other information that confirms you're logged in.

2. Cookie Theft: Hackers can steal these cookies in a few ways. Sometimes, malicious software (malware) you unknowingly download can snatch them. In other cases, they might trick you into visiting a fake website that looks real but steals your cookie instead. These fake websites can be delivered through phishing emails or even hidden within seemingly legitimate ads. Once they have your cookie, It's like giving someone your house key without realising it!

3. Impersonation:  With the stolen cookie, attackers can access the website posing as you. The website recognizes the valid cookie and grants them access to your account!

4. MFA is not going to protect you! Two-factor authentication (2FA) or multi-factor authentication (MFA) is a great first line of defence, requiring a second verification step after your password, like a code sent to your phone. But here's the catch, Cookie hijacking steals the "already logged in" information. With the stolen cookie, attackers bypass the login screen altogether, rendering the additional verification step useless.

Here's a great 6 minute video showing you how cookie stealing works with Microsoft 365 accounts , using free downloadable tools that the attacker can use without needing any technical skills Credit Elliot Munro :-

How To Stop Cookie Theft and Phishing with Passkeys

Passkeys should now be your default security. , endorsed by Google , Microsoft , Apple , Amazon , Paypal , Ebay and many other providers.

Always start with basics :-

  • Scrutinise Emails: Phishing emails often try to trick you into clicking malicious links or visiting fake websites designed to steal cookies. Check sender addresses, be wary of urgent requests, and look for grammar errors.

  • Verify Website URLs: Before logging in, double-check that you're on the legitimate website. Look for misspellings in the address or anything suspicious.

  • Updates Matter: Keep your web browsers and operating systems updated - patches often fix security vulnerabilities.

  • Trusted WiFi: Avoid logging into sensitive accounts (like banking) on public Wi-Fi networks without a VPN.

  • Clear Your Cookies Periodically

Next start Using PASSKEYS with your cloud accounts.

  • Concept: A passkey is a new type of digital credential designed to replace traditional passwords.

  • Storage: Passkeys are typically stored securely on your device (computer, smartphone, or tablet).

  • Authentication: Uses cryptography (e.g., fingerprint or facial recognition) and communication with the website to confirm your identity.

  • Benefits:

  • Highly resistant to phishing attacks

  • No need to remember complicated passwords

  • Reduces the risk of data breaches since passkeys aren't stored on web servers.

Why Passkeys are more secure :-

  • Traditional 2FA/MFA Apps: These apps generate time-based codes (like Google or Microsoft Authenticator) that you enter alongside your password. While they add a layer of security, they don't inherently know if the website you're logging into is the real deal or a fake phishing site.

  • Biometric Security (Fingerprint, Face ID): Biometrics are convenient, but they mainly confirm your identity on your device. If a phishing site tricks you, you might still happily authorise the login with your fingerprint.

How Passkeys are Fundamentally Different:-

Passkeys leverage the FIDO2 protocol, which goes beyond simple authentication codes or confirming your identity alone. Here's the key difference:

  • Cryptographic Website Verification: During the setup process, a unique cryptographic key pair is generated between your device (or security key, see below) and the legitimate website. When you log in, the passkey won't transmit your login information unless the website can cryptographically prove its authenticity. A detailed explaination with video is here.

  • Fake Sites Can't Fool Your Passkey: A phishing site, no matter how convincing it looks, cannot fake the cryptographic verification. Your device or security key won't release the passkey to an illegitimate site, effectively stopping the login in its tracks.

Here's a breakdown of devices that can store and manage passkeys:

  • Computers (Windows & Mac):

  • Windows 10/11: Passkeys can be stored securely within the operating system and used with compatible hardware (fingerprint readers, facial recognition cameras).

  • macOS: Passkeys can be managed through the built-in iCloud Keychain, accessible across Apple devices.

  • Smartphones (Android & iOS):

  • Android: Passkeys are integrated into Google Password Manager or supported third-party password managers.

  • iOS: Passkeys are stored securely in the iCloud Keychain, syncing across iPhones, iPads, and Macs.

The Ultimate Defence: Physical Security Keys

Now, let's introduce the hero of this story: Passkeys stored on a Physical Security Device

Image of Physical Security Keys From PCMag

These small, USB-like devices offer a powerful defense against cookie hijacking and phishing attacks. Here's how they work with the FIDO2 protocol to keep your business secure:

  • Unique Keys, Secure Hardware: Unlike passwords, physical security keys store cryptographic keys within their secure hardware. It's nearly impossible for attackers to steal these keys remotely.

  • FIDO2 Verification:  FIDO2 is a communication standard used by security keys. During login, the key doesn't just verify your identity; it also verifies the website itself.

Once again, here's the magic:

  • A fake phishing website cannot impersonate the legitimate website to the security key. This is because the key cryptographically checks the website's authenticity before transmitting any login information.

Physical keys essentially eliminate the risk of blindly logging into a fake site, even if a cookie is stolen.

While many devices can store passkeys, physical security keys offer several unique advantages, especially in terms of security:

Superior Phishing Resistance:

  • Isolation from Malware: Physical keys are separate hardware devices not connected to your main operating system. Malware or viruses on your computer cannot access or steal passkeys stored within the secure chip of the security key.

Enhanced Physical Security:

  • Reduced Risk of Accidental Leaks: Passkeys stored on personal devices like phones or computers are vulnerable to data breaches or accidental leaks if the device itself is compromised. Physical keys are separate and require physical possession for use, adding another layer of protection.

  • Tamper-Resistant Hardware: Security keys are built with secure hardware elements that resist tampering or attempts to extract the stored passkey information.

Additional Benefits:

  • Universal Compatibility: Security keys with FIDO2 standard are designed to work with any website or service that supports FIDO2 authentication, offering broader compatibility.

  • Multi-Account Management: Most security keys can store passkeys for multiple accounts, eliminating the need for separate login information on each device

Benefits of Security Keys for SMEs:

  • Stronger Phishing Defense: Physical keys offer far superior protection against phishing attacks compared to passwords or MFA alone.

  • Reduced Reliance on Passwords: Eliminates the need for complex, memorable passwords, boosting security and user experience.

  • Easy Deployment: Security keys are relatively simple to set up and use, making them suitable for businesses of all sizes.

Conclusion and Takeaway.

invest in physical security keys for your SME to add a powerful layer of protection in today's ever-evolving cyber threat landscape.

As always OCM have walked the walk first. All our staff have Yubico Security keys protecting our accounts. We can help your business do the same. Please contact us for a free, no obligation, discussion.


Commenting has been turned off.
bottom of page