1
Two Factor Authentication
MK
Passwords are very vulnerable
Dictionary Attacks
Why?
Insecure
A passwords is as secure as the least secure environment where you have ever typed it in.
It can be transparently breached and you may never know. Frequent changes reduce the window but nobody does that!
Two Factor Authentication
How?
Something you HAVE
Something you KNOW
Common 2FA Schemes
SMS Verification
Card Readers
Uses secret embedded in chip within payment card
(secret in) Mobile App
Time based: pre set secret embedded in App is used to generate a time based sequence of numbers.
Secret supposed to be inaccessible so must HAVE phone.
Hardware Keys
Unique secret (private key) stored in hardware, write only, not available to user, software on PC, or anything else in the middle (even server).
When button is pressed, responds to challenge sent via USB by signing it and returning signature to "prove" it knows the private key.
Lets do it!
This is a workshop not a talk... Lets do it!
If you are going to secure ONE account, make it your email...
Health Warning
Adding more security to your account can keep bad actors out, but it can also keep YOU out:
- What would I do if I (lost my phone? my security key? my mind?) perhaps simultaneously?
- Always add recovery mechanisms BUT understand how each recovery mechanism is an attack vector
Even with lots of recovery mechanisms your account is more secure than just passwords!
Worked example: Gmail
- Add SMS
- Add authenticator
- Add security key