Two factor authentication the worst, the best, and everything in-between.
WTF, 2FA!? Y U NO PROTECT ME?
Two factor authentication the worst, the best, and everything in-between
Back to the beginning
What was the
hacker up to?
Calling your mobile provider
Still on the phone
with your mobile
Using social engineering
And now they
have all the
Sim swap/sim hijacking
We learned that SMS-based authentication
is not nearly as secure as we would hope,
and the main attack was via SMS intercept
Reddit chief technology ofﬁcer and founding engineer
What is authentication?
The process of verifying that someone or
something is the actual entity that they claim to
(these people know what they are talking about when it comes to security)
... but what are the different factors of auth?
1 factor is knowledge (i.e. your password)
2 is the other method choice
- Possession (token/soft token)
- Identity (biometrics)
2FA == 2SV == MFA
2FA = Two factor authentication
2SV = Two Step verification
MFA = Multi-factor authentication
What about all those other acronyms...
Why didn't 2FA help?
•SMS was used
•2FA wasn't even enabled
•Most common method
•Not recommended by
NIST since 2016
Let's figure out all
the ways SMS can
1. Sim-swap (aka what just
happened to us)
2. Port-out scam
3. Brute force on the
Time-based One Time Password
aka App based
aka soft token
•Associated with the certain
•Not visible on a locked phone
Push Based Authentication
Physical keys that can auth
•Many use U2F (Universal
What would you change now?
So what could you have changed?
•Setting up with a VOIP number
•Secure with alternate authentication method
•Pin/password protect phone provider
Keep on being @awesome
...wait I lost my phone/app access/token
Use a recovery code
Allows you access to
More on recovery codes
•Stored as hashes
•One time use
•Shown only once
2FA Implementation Best Practices
• Rate limiting prevents brute force attacks
• Use a truncated exponential back-off algorithm
What is an exponential back-off algorithm?
Example in Ruby
if retries <= max_retries
retries += 1
sleep (retries + rand(100)/1000)
raise "You've hit your max retries!"
Get user buy-in
Enforce authentication on all pages
Users with the most amount of privilege,
2FA is a requirement not optional
Now you are the info sec professional
Thank you Kernelcon and all the staff
Tyson Reeder for the final graphic(@tysondreeder)
For references and further reading checkout