It's great seeing our customers grow.
We can see that growth through metadata. What we can also see through that metadata is how many malicious messages (phishing, malware, etc) we block from ever reaching their mailboxes, and how many impersonation attacks are attempted targeting their customers with the likes of fake invoices. This is how we help them to grow their business, by helping them to reduce their losses through fraud & extortion, allowing them to hire additional staff.

If you want to grow your business too, contact us at cyberwarden.io/contact

Multi-Factor Authentication (MFA) is an absolute necessity in the modern world. Passwords just aren't enough, mainly due to breaches, stealers, and easily guessed passwords.

MFA is usually one of a few types:

• SMS OTP
• Email OTP
• Application based HOTP/TOTP codes that change automatically
• Push based via an app
• Passkeys

Not All MFA Methods are Equal.
Each type has its' own merits, for example, SMS and email are fairly ubiquitous and don't require any specific software. App based methods like HOTP & TOTP have the advantage that they phone hosting the app can be offline. Push based methods can be super convenient with just a simple yes/no answer, or a short numeric code to confirm. Certificate based methods in the modern world like Passkeys. Passkeys aren't necessarily MFA (as they can totally replace passwords), but are functionally similar to MFA, and are often referred to as "phishing resistant" because it's not something that someone can pass on over the phone or easily trick you into using.

You can read more about Passkeys at https://blog.google/inside-google/googlers/ask-a-techspert/how-passkeys-work/

In terms of security, I'd rank the methods as below (1 = best, 6 = worst):

1. Passkeys
2. Push based with a simple code
3. Application based HOTP/TOTP
4. Push based (Yes/No)
5. SMS OTP
6. Email OTP

While having some form of MFA is always better than no MFA, in reality SMS and Email OTPs should be considered to be insecure, in that they can be intercepted without huge effort or expense. Watch this video on how SMS and voice can be intercepted via SS7 https://www.youtube.com/watch?v=wVyu7NB7W6Y . Of course, SMS are also commonly intercepted by SIM swap attacks. Emails are even easier to intercept via a variety of methods. Another disadvantage of Email & SMS OTPs is that they can be delayed or blocked in transit, making these methods frustrating to use.
Yes/No based push authentication can be subject to timed attacks, such as attempting to login to a service at roughly the same time as the real user (such as at the start of the work day when a user is logging into their systems, and they really aren't paying too much attention), hence the move to the code based push method.
Some TOTP/HOTP systems don't have any limits on retries, so a brute-force approach can work on those (this has been demonstrated recently).
For the above reasons, we don't recommend the use of methods 3-6 unless there is no other option. If you're forced to use one of these, then app based HOTP/TOTP is the best choice.

So What Should I Use?
Our recommendation is to move to Passkeys wherever possible, and if these aren't possible, use the next best method.

Secret back-doors never remain secret, and they are often exploited by threat actors. just look at the recent issues with Chinese state actors utilizing the secret backdoors in the US telecoms networks.

https://archive.is/EzboV

If Apple is being asked to do this, then so will all other major cloud storage vendors.

Of major concern is that many authenicator apps store their data in a user's Onedrive/G-Drive/iCloud account (as do many password managers).
If these accounts are compromised by adversaries (including nation states, competitors, and general ne'er do wells) then the implications are significant.