[andrew_]

I'd like to know more about these tools. That there's at least one which can bypass a user's 2FA settings without notification suggests that there are additional tools in the same vein.

[ma2rten]

Google requires its employees to use a security key for access to all internal systems including admin tools, source code and email. Every since google started enforcing this policy the number of successful phishing attacks has gone down to basically zero.

[londons_explore]

I believe the Twitter attack involved tricking a user into installing proxy software on their machine (to be in twitter's internal network).

If that is the case, that same proxy software could proxy the security key requests too.

[tdhoot]

That can be prevented by restricting the software that can be installed on employee machines.

[c00ls0sa]

WFH has caused many companies to ease up on restrictions involving location, ip, and sometimes a broader need for software. Granted, nobody should be this easy to bamboozle, but I get why now more than ever this may have been an issue.

[Thorrez]

If there's malware involved I don't consider that phishing. Although some would debate that.

[Thorrez]

Did you reply to the right comment?

[spullara]

Every network has to have tools to do that. How else will they enforce the laws they are required to enforce?

[cmelbye]

Those legal requests aren’t serviced with a password reset in order to log into the account. It seems more likely that there’s an internal tool to help people who have lost their second factor, but that’s just a guess.

[Thorrez]

>without notification

Are you sure there wasn't a notification?