Upgrade to Pro — share decks privately, control downloads, hide ads and more …

2FA: The Rise of Two-Factor Authentication

Chris Cornutt
February 27, 2014

2FA: The Rise of Two-Factor Authentication

Two-factor authentication has gotten lots of attention lately. It's being praised as a way to help eliminate passwords and already has several major companies adapting their practices to use it. Let me guide you through the world of 2FA, some of the basic concepts (with examples) and dive deeper into the associated protocols and RFCs.

Chris Cornutt

February 27, 2014
Tweet

More Decks by Chris Cornutt

Other Decks in Technology

Transcript

  1. A

  2. A

  3. )))

  4. 1. user creates account (user/pass) 2. user configures 2FA device

    3. confirmation code sent 4. site requests code as validation ! Device configured, code sent on login
  5. 1. user creates account (user/pass) 2. user configures 2FA device

    3. user set up with 3rd party 4. 3rd party validates user ! Device configured, 3rd party request
  6. Yubikey API validated request OTP + Nonce + Client ID

    Signature ! Unique 44 characters 128-bit AES OTP
  7. Duo Security Hosted service (API) ! OTP codes SMS messaging

    Phone callback Push notifications ! NIST certified
  8. Weak passwords are still a problem ! Why stop at

    two? ! Other options aren’t as strong, but help