The Inmates Are Running the Asylum – Why Some Multi-Factor Authentication Technology is Irresponsible

No ratings

Presented at AppSecUSA 2015 by

Clare Nelson

Outline: - Define multi-factor authentication - Describe the current state of the technology - Describe key problems o 2D fingerprints, other already-hacked biometrics o QR codes o SMS OTP (subject to MITM) o JavaScript requirements o Weak account recovery methods o Lack of mobile device risk analysis, not using OWASP Mobile Top 10 Risks for mobile o Encryption with backdoors - Recipe for what you can do As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs. Facial and other biometrics can also be hacked. Why, then, is biometric-based authentication so fashionable? It is easy to reset a password. It is hard to reset fingerprints. Why are there over 200 multi-factor authentication vendors? Why is multi-factor authentication so expensive? Are there open source alternatives? What is the FIDO Alliance? Is it marketing hype or great standards? Unfortunately, the current multi-factor technology offerings reflect evolutionary slip-slide, not quantum leaps forward. However, one or two technologies show promise.