// #mfa
6 articles
DBIR 2026 Identity Chapter: Credential Theft Remains Dominant, MFA Bypass Techniques Accelerating
The identity and credential findings from Verizon's 2026 DBIR show that stolen credentials remain the most common enabler of breaches across all sectors, used in 44% of analysed incidents. More troubling: the DBIR documents a significant increase in MFA bypass techniques — adversary-in-the-middle phishing toolkits, SIM swapping, and push notification fatigue attacks that defeat MFA as commonly deployed.
Healthcare Ransomware and Identity: The IAM Controls That Limit Gentelman's Blast Radius
The Gentelman ransomware group gains initial access through RMM vulnerabilities, but its ability to encrypt an entire healthcare network depends on how identity and access management is configured. Strong IAM controls — privileged access segmentation, MFA enforcement on administrative accounts, and service account restrictions — significantly limit what a ransomware operator can encrypt once inside the perimeter.
Pwn2Own Week Exposes the Limits of Identity as a Security Control — What IAM Teams Should Review
The week of 12–18 May 2026 produced two distinct scenarios where identity controls — Conditional Access, MFA, and Zero Trust enforcement — provided no meaningful protection: Exchange Server-side RCE (operating below the authentication layer) and Exchange OWA session hijacking (stealing tokens after authentication). Both are active or imminent threats. Both require defences that go beyond the identity layer.
Why Exchange SYSTEM RCE Bypasses Conditional Access and MFA: The Authentication Architecture Problem
The Exchange SYSTEM RCE chain demonstrated by DEVCORE at Pwn2Own Berlin 2026 achieves code execution at the operating system level, bypassing all identity controls including Conditional Access policies, MFA requirements, and Azure AD authentication entirely. Understanding why server-side RCE renders identity controls irrelevant is essential for accurate risk assessment.
OpenAI Launches Advanced Account Security Programme with Mandatory Phishing-Resistant MFA
OpenAI has announced an opt-in Advanced Account Security programme for high-risk users — journalists, human rights advocates, executives, and researchers — offering phishing-resistant FIDO2 hardware key and passkey authentication, stricter account recovery controls, and session compromise mitigations. The programme, developed in partnership with Yubico, acknowledges that standard MFA is insufficient against sophisticated phishing and AiTM attacks targeting OpenAI accounts with access to sensitive workflows.
Microsoft Entra Passkeys Rolling Out to All Windows Devices — Phishing-Resistant MFA Now Generally Available
Microsoft has begun rolling out Entra passkey support to managed, unmanaged, and shared Windows devices, with general availability set for mid-June 2026. Passkeys close the credential-phishing gap that conventional passwords, SMS codes, and TOTP leave open, and enterprise deployment is now achievable at scale through existing Conditional Access policies.