Explore if facial recognition meets the criteria to be classified as a passkey. Understand the security, usability, and standards implications for passwordless authentication.

The post Is Facial Recognition Classified as a Passkey? appeared first on Security Boulevard.

• Construction delays have beset ice hockey arena in Milan

• ‘If the ice isn’t ready, we’re not going,’ NHL deputy warns

The NHL says it is “disappointing” that the main ice hockey venue for the Winter Olympics will not be ready until the new year – and warned that its top players will not show up unless the ice is shown to be safe.

The men’s and women’s tournaments are expected to be among the highlights of the 2026 Milan-Cortina Games with the NHL stars showing up for the first time since 2014.

Continue reading...

© Photograph: Daniele Mascolo/Reuters

© Photograph: Daniele Mascolo/Reuters

© Photograph: Daniele Mascolo/Reuters

Syrians who have rebuilt their lives abroad face uncertainty over their futures amid hardening of attitudes

Tears of joy streamed down Abdulhkeem Alshater’s face as he joined thousands of other Syrian nationals in central Vienna last year. The moment they were marking felt like a miracle: after more than five decades of brutality and repression, the Assad regime had fallen.

A day later, however, the ripple effects of what had happened 2,000 miles away in Syria were laid bare. A dozen European states announced plans to suspend asylum applications from Syrians, in a show of how western states are increasingly treating refugees as transients. As the fall of Bashar al-Assad collided with politicians’ quest to be seen as taking a hard line on migration, the lives of Syrians around the globe were plunged into uncertainty.

Continue reading...

© Photograph: Omer Messinger/Getty Images

© Photograph: Omer Messinger/Getty Images

© Photograph: Omer Messinger/Getty Images

A digital atlas of ancient Rome’s highways and byways reveals a road network that was more extensive than thought.

© Jonathan Corum/The New York Times

A digital atlas of ancient Rome’s highways and byways reveals a road network that was more extensive than thought.

© Jonathan Corum/The New York Times

Researchers are warning about a rise in cases of attackers using Evilginx to steal session cookies among educational institutions—letting them bypass the need for a multi-factor authentication (MFA) token.

Evilginx is an attacker-in-the-middle phishing toolkit that sits between you and the real website, relaying the genuine sign-in flow so everything looks normal while it captures what it needs. Because it sends your input to the real service, it can collect your username and password, as well as the session cookie issued after you complete MFA.

Session cookies are temporary files websites use to remember what you’re doing during a single browsing session–like staying signed in or keeping items in a shopping cart. They are stored in the browser’s memory and are automatically deleted when the user closes their browser or logs out, making them less of a security risk than persistent cookies. But with a valid session cookie the attacker can keep the session alive and continue as if they were you. Which, on a web shop or banking site could turn out to be costly.

Attack flow

The attacker sends you a link to a fake page that looks exactly the same as, for example, a bank login page, web shop, or your email or company’s single sign-on (SSO) page. In reality, the page is a live proxy to the real site.

Unaware of the difference, you enter your username, password, and MFA code as usual. The proxy relays this to the real site which grants access and sets a session cookie that says “this user is authenticated.”

But Evilginx isn’t just stealing your login details, it also captures the session cookie. The attacker can reuse it to impersonate you, often without triggering another MFA prompt.

Once inside, attackers can browse your email, change security settings, move money, and steal data. And because the session cookie says you’re already verified, you may not see another MFA challenge. They stay in until the session expires or is revoked.

Banks often add extra checks here. They may ask for another MFA code when you approve a payment, even if you’re already signed in. It’s called step-up authentication. It helps reduce fraud and meets Strong Customer Authentication rules by adding friction to high-risk actions like transferring money or changing payment details.

How to stay safe

Because Evilginx proxies the real site with valid TLS and live content, the page looks and behaves correctly, defeating simple “look for the padlock” advice and some automated checks.

Attackers often use links that live only for a very short time, so they disappear again before anyone can add them to a block list.​ Security tools then have to rely on how these links and sites behave in real time, but behavior‑based detection is never perfect and can still miss some attacks.

So, what you can and should do to stay safe is:

• Be careful with links that arrive in an unusual way. Don’t click until you’ve checked the sender and hovered over the destination. When in doubt, feel free to use Malwarebytes Scam Guard on mobiles to find out whether it’s a scam or not. It will give you actionable advice on how to proceed.
• Use up-to-date real-time anti-malware protection with a web component.
• Use a password manager. It only auto-fills passwords on the exact domain they were saved for, so they usually refuse to do this on look‑alike phishing domains such as paypa1[.]com or micros0ft[.]com. But Evilginx is trickier because it sits in the middle while you talk to the real site, so this is not always enough.
• Where possible, use phishing-resistant MFA. Passkeys or hardware security keys, which bind authentication to your device are resistant to this type of replay.
• Revoke sessions if you notice something suspicious. Sign out of all sessions and re-login with MFA. Then change your password and review account recovery settings.

Pro tip: Malwarebytes Browser Guard is a free browser extension that can detect malicious behavior on web sites.

---

We don’t just report on threats—we help safeguard your entire digital identity

Cybersecurity risks should never spread beyond a headline. Protect your, and your family’s, personal information by using identity protection.

The thrill of an upset was absent as the favourites won all seven contests played during Week 12 of the Provincial Junior Hockey League’s Tod Division season. Read More