Two Factor Failure

Presented at Black Hat Europe 2014, Oct. 17, 2014, 9 a.m. (30 minutes)

Two Factor Authentication (2FA) systems are required by security standards and help to solve the many weaknesses of password authentication, and are increasingly found both in enterprise systems and in general web applications.

Unfortunately, many 2FA systems have vulnerabilities - some glaring, some more subtle - and 2FA systems have frequently sacrificed security to be more usable.

We will demonstrate the vulnerabilities of various 2FA systems, including a new form of attack against mobile phone based TOTP (RFC 6238) systems, and describe best practices for deploying 2FA of various types.


Presenters:

  • Ryan Lackey - CloudFlare, Inc.
    Ryan Lackey is Principal in the Security Practice at CloudFlare, the edge network security and performance company, based in San Francisco, CA. Previously, he co-founder HavenCo, the world's first offshore datahaven, located in the North Sea, and then moved to Iraq and Afghanistan, where he ran a satellite networking company and worked with the US military, other governments, and commercial business. He then founded CryptoSeal, a Y Combinator funded trusted computing and infrastructure security company, which was purchased by CloudFlare in June, 2014.

Links:

Similar Presentations: