Issue 2 | May 2026
This month: Our EVP of Technology gives us a deep dive into C2PA, including what it is, how it works, and why it’s needed for businesses today among trust-scarce consumers.
Plus: NIST revs up PCQ protection, potential vulnerabilities in Windows Phone Link, and what our team learned at NAB 2026.
From the Desk of Dustin Ward, SSL EVP of Technology:
The SSL team recently attended the NAB Show 2026 in Las Vegas. Based on conversations I had there, I noticed a clear gap in how people currently think about Content Credentials, content authenticity, and provenance.
I realized how important it is to help people understand exactly what C2PA is, how it can benefit the digital trust ecosystem, and how it protects an organization’s branded media in general.
I decided to put pen to paper and am sharing this first installment of a series that will dive into everything surrounding C2PA and hopefully bring some clarity by explaining what it is, why it matters, and how it works, so there will be a complete understanding across the board, from the most strategic to the most technical stakeholders.
If you’re interested in learning more about what C2PA is, take a look at my latest blog post.
Recent News: The Latest from the Digital Trust Landscape
NIST advances nine post-quantum signature algorithms to secure data from quantum attacks – NIST has moved nine post-quantum digital signature algorithms into the third and final round of its standardization process, continuing a years-long effort to replace today’s encryption standards before quantum computers become powerful enough to break them. Full story.
College student hacks Taiwan high-speed rail line with software-defined radios – A 23-year-old college student in Taiwan halted four high-speed rail trains for 48 minutes by broadcasting a false General Alarm signal, exploiting a radio communications system that had gone 19 years without rotating its cryptographic key. Full story.
Claude Code execution risk exposed – Researchers at Adversa AI disclosed a vulnerability called “TrustFall,” in which opening a malicious repository in AI coding tools, such as Claude Code, can silently execute attacker-supplied code on a developer’s machine with little to no user interaction. Full story.
Implementation Spotlight: Practical Solutions for Real-World Challenges
When 2FA Becomes a Liability: The CloudZ Attack on Windows Phone Link
Most organizations that deploy SMS-based two-factor authentication believe they have added a meaningful layer of security. A campaign uncovered by Cisco Talos in early 2026 demonstrates how quickly that assumption can be turned against them.
At the heart of the operation are a remote access tool called CloudZ and a previously undocumented plugin named Pheno, which work together to harvest credentials and intercept authentication codes synced from a paired smartphone. The attack does not exploit a flaw in Windows so much as a feature. By abusing Windows Phone Link, a legitimate cross-device syncing functionality built into Windows 10 and 11, attackers can bypass 2FA entirely, eliminating an identity authentication step many users believe keeps their accounts secure, and doing so without ever touching the mobile device itself.
The business impact: Once inside, the attacker gains browser credentials, file access, screen recording capability, and the ability to intercept OTP codes in real time, all while the targeted organization believes its MFA is functioning as intended. However, the deeper problem is structural: SMS-based 2FA distributes authentication across channels, devices, and local files, none of which any single team fully controls. In enterprise environments, that fragmentation multiplies the attack surface with every user who has Phone Link active on their workstation.
What would have prevented it: The remedy is not better SMS monitoring. Rather, certificate authentication is an alternative to SMS authentication. This may be a better fit for some customers as there is no OTP message to intercept, no database file to raid, and no Phone Link bridge to exploit. If authentication occurs at the certificate level, a compromised Windows endpoint yields an attacker nothing useful. For organizations that need to deploy certificates at scale, SSL’s Private Enterprise PKI provides the infrastructure to issue, manage, and revoke certificates centrally, without relying on shared public infrastructure or the fragile SMS delivery chain that this attack exploited.
The broader lesson: MFA bypass is becoming a larger part of the compromise chain as more organizations deploy it across a wider range of accounts. Attackers are not breaking MFA. They are routing around it by targeting the delivery mechanism. SMS OTPs travel through channels, sync to devices, and get written to local files, each of which is a potential interception point. Certificate-based authentication eliminates the channel entirely.
Past and Upcoming Events: Conferences, Standards Meetings, and more
The SSL Team’s Daily Journal from The CSC Trust Without Borders Summit 2026
Our team’s updates and insights are straight from the summit’s venues, focusing on digital trust across borders, jurisdictions, and regulatory frameworks. Discover what they had to say and how these vital findings may impact the future of global interoperability. Read here.
Highlights from the 2026 NAB Show
SSL attended the annual NAB Show in Las Vegas from April 18-22, 2026, to advance our messaging about media authenticity through C2PA. The conference welcomed more than 58,000 registered attendees who had access to more than 530 conference sessions featuring over 600 speakers from across the global media and entertainment ecosystem.
Read the full article about what our team learned and why content provenance should now become a broadcast industry priority.
Upcoming:
June 16-18, 2026 – Unify 2026. Held in Austin, Texas. SSL is a proud sponsor of the event hosted by the Connectivity Standards Alliance, designed to showcase the latest in IoT innovation. Follow us on LinkedIn to see our updates, booth location, how to connect with our team, and more.
June 2026 – Upcoming webinar, “Beyond the Spec: Building Real Trust Into C2PA,” hosted by Dominique Guinard, SSL Director of Product – Content Authenticity and IoT. This webinar is for C2PA adopters who’ve already connected the standard to their work and want to go deeper on what production-grade trust requires. We’ll focus on how to make Content Credentials more trustworthy, durable, and interoperable in practice, drawing on SSL.com’s trust-anchor work (certificate roots, trusted timestamps, durable provenance chains) and the practitioner perspectives of teams shipping on C2PA today.
Quick Links: Guides, Articles, and Industry Resources
- What SSL’s Root Migration Means For You — SSL is migrating TLS certificate issuance to 2022 roots. Learn what’s changing, why it matters, and what your options are if ClientAuth EKU affects your systems.
- Compliance Update: 2026-04-03 EJBCA Incident and Mass Revocation Events — An explanation of the April 3, 2026, ACME-related certificate revocation event due to CABF compliance deviation, with no security impact and immediate reissuance available.
- SSL’s VMC Complete Guide for Validation: Trademark Requirements, Logo Specifications, and BIMI DNS Setup Guide — Learn the trademark requirements, SVG logo specifications, and BIMI DNS setup needed to obtain a Verified Mark Certificate (VMC) from SSL.
- Identity Validation for SSL.com Certificates: A Complete Guide — Learn how to complete SSL identity validation, including accepted ID documents by country, liveness video tips, and steps to fix a failed submission.
- CA/Browser Forum Ballot SC099: Improve Recording of Validation Method — The full ballot improves validation recording by replacing ambiguous BR requirements with specific audit log requirements. It requires CAs to log exact validation methods used, with compliance effective July 15, 2026.
Have questions about any of these topics or want to discuss your digital trust solutions with our experts? Reach out to us below: