AppSecUSA 2015

Outline:
- Define multi-factor authentication
- Describe the current state of the technology
- Describe key problems
o 2D fingerprints, other already-hacked biometrics
o QR codes
o SMS OTP (subject to MITM)
o JavaScript requirements
o Weak account recovery methods
o Lack of mobile device risk analysis, not using OWASP Mobile Top 10 Risks for mobile
o Encryption with backdoors
- Recipe for what you can do

As German defense minister, Ursula von der Leyen can attest, fingerprints can be hacked, even from photographs. Facial and other biometrics can also be hacked. Why, then, is biometric-based authentication so fashionable?

It is easy to reset a password. It is hard to reset fingerprints.

Why are there over 200 multi-factor authentication vendors? Why is multi-factor authentication so expensive? Are there open source alternatives? What is the FIDO Alliance? Is it marketing hype or great standards?

Unfortunately, the current multi-factor technology offerings reflect evolutionary slip-slide, not quantum leaps forward. However, one or two technologies show promise.