multi factor – MFA authentication to O365 – remote workers users without mobile phone. Which secure solution?

we are deploying O365 in my company (teams, sharepoint, exchange online, office suite). In order to connect outside our network (remote workers especially during this pandemic), we ve implemented MFA with MS authenticator and OTP with SMS. Some users use their professional phones, others their personal one to make this second factor authentication…but some do not have professional phones AND don’t want to use their personal ones for privacy. Giving them hard token is an issue for us as it s difficult to manage for logistics and support. We are thinking about soft tokens in the PC itself. Do you think it is secure enough? What are the solutions for soft token in a PC? What is the risk ? If there is a keylogger in the PC, even if the attacker is getting the password and the PIN for the soft token, how he can use it in another PC as the soft token was enrolled only in the first machine ?

More globally, if you have some documentation or hints to understand what are the attack vectors with several authentication methods to SAAS applications (personal device, professional device managed by the company & antivirus/EDR, laptop, PC, MFA w/ mobile SMS/authenticator OTP/Authenticator push), enrolled PC/mobile w/ intune,MFA w/ soft token in the laptop and additional certificate in the PC…), I am more than interested 🙂

Thanks to all, and it is my first post 🙂

Big Sur Add trusted certificate via command line (Safari Can’t establish a secure connection)

I am trying to have safari stop preventing me from visiting one of my dev machines with an invalid cert.

I am trying to use the solution in This Thread but install it using the CLI:

   security add-trusted-cert  -r trustRoot  -k ~/Library/Keychains/login.keychain-db /tmp/test.cert

I am still receiving the “Safari Can’t Open the Page because Safari can’t establish a secure connection to the server” error.

I want it to be applied to the user so I don’t want to do the -d flag. And I know I am correctly downloading the cert because if I add the certificate and trust it through the OSX GUI, it works fine.

Another interesting note is that this solution works for my brave and firefox browsers, so it’s just safari that is giving me grief, but even safari works when I add the downloaded cert via the GUI.

iphone – What i need to do to backup and secure my mobile data before sending it to repair

I have iPhone 11 and its screen was broken, so I will send it to an authorized reseller for Apple. but before doing so I will remove all the data I have these data include; photos, videos, apps (mail app, WhatsApp, and other apps).

so I have these 2 questions:-

  1. Is there a way to backup all my data and apps and to be able to restore them after getting my mobile fixed?

  2. How I can securely remove the data inside my phone, so it can not be recovered when I send it to the technician?

Thanks

authentication – Are security keys with touch requirements more secure than those without?

My friends and I have worked at various tech companies which required us to use a security key in order to login to our computers. Some of us had to physically “touch” the device to login, while some of us at other companies did not need to touch our key.

Does the addition of having to touch the security key add any additional security? If so, how? If not, what is the purpose of it?

chrome – Are saved passwords in browsers secure, when stored online?

As with pretty much everything that is managed by cloud providers, secrets management as a service is susceptible to hacking attacks, HOWEVER, I would trust Mozilla’s and Google’s secure secrets management capability and infrastructure security in general much more than keeping those secrets on tools running on my machine.

To your last question, all major cloud providers offer you the capability of complete deletion of sensitive information they store, and are legally bound to fulfil that obligation when you are using their products.

desktop – Are Linux distributions that use musl as the standard C library more secure?

It seems that musl based Distros are more minimal and lightweight. Examples are Void Linux and Alpine Linux. Lots of packages only available for glibc based systems.

But, are Linux distributions (for Desktop usage) that use musl as the standard C library more secure?

Thread model is a command line prefered Desktop user which owns some crypto (in a software wallet).

passwords – Does offline OTP system really secure?

I know that OTP(One time password) system is most secure method for now if online.

Online OTP system like sending code message to phone is secure because attacker cannot know the code if he don’t still phone or intercept content of message.

However, offline OTP looks not secure so much. Because it doesn’t need network connection so server and client should share a same algorithm to make some code. Maybe they use some public key that shared between server and client and timestamp.

it’s not so different with using just password. If attacker know the public key, he can use the key with algorithm and make same OTP code with his local system.

I’m not sure the offline OTP system is secured. How do you think about it?

disk encryption – Is it secure to automatically unlock encrypted system drive using the TPM PCR values?

A simple way of automatically decrypting system drive at boot time:

clevis luks bind -d /dev/yourdrive tpm2 '{"pcr_ids":"4,5"}'

systemctl enable clevis-luks-askpass.path

When I booted another OS on the same machine, tpm2_pcrread listed mostly identical PCR values, except for 4 and 5. I understand that PCR 4 is a hash of the MBR and partitioning data, and PCR 5 is generated by the code in MBR. Besides, it’s an EFI system.
If an attacker makes a copy of the entire disk, can he generate the PCR 4 value by hashing the stolen MBR and partitioning data?

security – How to compare passwords which is stored in DB in encrypted form in secure way?

Recently In an interview I was asked this question –
Question- If are storing passwords in encrypted format in DB and in future when user login into our website how will we perform authentication?

Me:-we will first first encrypt the password using same hash function then compare it with already stored password.

Interviewer:- But if someone breaks into our system and find out our hash function which is same for all then he can easily access customer’s password.

Me-: We can create a hash function based on User-id. So everytime we are not using same hash function.

Interviewer- But this means app knows the user original password which is against User Privacy , even the app should not be know user’s password.

Me- I don’t know 🙁

Interviewer- Rejected!!!

Anyone here knows the solution of this question?