WTF, 2FA!? - Y U No Protect Me?, by Christine Seeman

Abstract: An exploration of two factor authentication from a developer's perspective. It's difficult to find two factor implementation best practices, so attendees will come out of this talk learning some trials and tribulations of a real life implementation of two factor authentication, why the sms based authentication is by far the least secure, and why two factor is not the security bandage that it is billed to be.

Detailed Description: I just got through with implementing two factor in a web based Ruby/Rails application and this paper will be a look into my lessons learned to help future developers/info security professionals. When you search for information on two factor authentication, what usually turns up is some generic information that it is a good idea to make sure it is enabled. That is not enough for someone who actually needs to implement it or evaluate its security. The general structure of the talk would be:

  • Two factor authentication is a great security practice that should be implemented for applications that require logging in, but there is a wide spectrum of how it is implemented that can make it more secure. (Introduction 3 minutes)
  • Demonstrate hacking approaches with 2FA, with example attacks.
  • Walk through best practices to help secure two-factor and wrap up and questions
    • Prioritizing application based (TOTP/Authy/Google Authenticator) method and push notification,
    • Implementing a truncated exponential back-off algorithm with invalid attempts
    • Other user input sanitation best practices and flow control

Edit proposal


Kernelcon 2019 - Accepted [Edit]

Add submission