// #fido2

2 articles

OpenAI has announced an opt-in Advanced Account Security programme for high-risk users — journalists, human rights advocates, executives, and researchers — offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.

May 9, 2026 #openai +7

🔑 IAM

AI-Powered Device Code Phishing Bypasses MFA at Hundreds of Organisations

A sophisticated phishing campaign is abusing the OAuth device authorisation flow to hijack Microsoft 365 access tokens while victims complete entirely genuine MFA challenges. Hundreds of organisations have been compromised. FIDO2 passkeys block this attack; push notifications, TOTP, and SMS codes do not. Organisations should block the device code grant in Conditional Access immediately.

Apr 10, 2026 #phishing +9

Commentary tagged #fido2

Opinion

TOTP MFA Is Security Theatre and We Need to Admit It

Adversary-in-the-Middle toolkits that defeat time-based one-time passwords are commercially available for under £400. The security industry's continued recommendation of TOTP as meaningful phishing protection is not a minor technical nuance — it is a significant misrepresentation of what MFA actually protects against in 2026.

CipherWatch Editorial

Security Intelligence Platform

Apr 13, 2026

OpenAI Launches Advanced Account Security Programme with Mandatory Phishing-Resistant MFA

AI-Powered Device Code Phishing Bypasses MFA at Hundreds of Organisations

Commentary tagged #fido2

TOTP MFA Is Security Theatre and We Need to Admit It