MFA products are not all that they are cracked up to be; a lot are cracked.Android malware can steal Google Authenticator 2FA codes!
A new version of the “Cerberus” Android banking trojan will be able to steal one-time codes generated by the Google Authenticator app and bypass 2FA-protected accounts. In a report published this week, security researchers from Dutch mobile security firm ThreatFabric say that by abusing accessibility privileges, the Trojan can now also steal 2FA codes from Google Authenticator application. When the app is running, the Trojan can get the content of the interface and can send it to the C&C server.
A recent post described a Chinese hacker group caught bypassing RSA SecurID: SMS pass codes have long been deprecated:
If only there was a Multi-factor Authentication Technology that did not rely on having fixed secrets…
This document summaries the reasons for the competing positioning dispositions of various Authentication methods and their associated Identity Management capabilities.
Written with the admitted selected bias of the author but the arguments are sound and defensible – click to download.