AppSecUSA 2015 has ended
AppSecUSA 2015 - Buy ticket at http://2015.appsecusa.org/buy/
Back To Schedule
Thursday, September 24 • 11:30am - 12:25pm
The Inmates Are Running the Asylum – Why Some Multi-Factor Authentication Technology is Irresponsible

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

- Define multi-factor authentication
- Describe the current state of the technology
- Describe key problems
o 2D fingerprints, other already-hacked biometrics
o QR codes
o SMS OTP (subject to MITM)
o JavaScript requirements
o Weak account recovery methods
o Lack of mobile device risk analysis, not using OWASP Mobile Top 10 Risks for mobile
o Encryption with backdoors
- Recipe for what you can do

As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs. Facial and other biometrics can also be hacked. Why, then, is biometric-based authentication so fashionable?

It is easy to reset a password. It is hard to reset fingerprints.

Why are there over 200 multi-factor authentication vendors? Why is multi-factor authentication so expensive? Are there open source alternatives? What is the FIDO Alliance? Is it marketing hype or great standards?

Unfortunately, the current multi-factor technology offerings reflect evolutionary slip-slide, not quantum leaps forward. However, one or two technologies show promise.

avatar for Clare Nelson

Clare Nelson

CEO, ClearMark Consulting
Clare lives at the nexus of security, privacy, and identity. Her middle name is MFA, and she loves all things identity. She forges identity solution roadmaps and tracks emerging technologies, especially in light of GDPR and PSD2. She recently evaluated 200+ MFA vendors, resulting... Read More →

Thursday September 24, 2015 11:30am - 12:25pm PDT
Room A