Two-Factor, Too Furious: Evading (and Protecting) Evolving MFA Schemes presented at DerbyConVIIIEvolution 2018

by Austin Baker, Dough Bienstock,

Summary : Multifactor authentication is often the first (and too often, the last) line of defense against motivated attackers trying to get access to sensitive data. While is it correctly hailed as a cornerstone of in-depth network defense, adoption rates are outpacing education about the real-world attack scenarios levied against MFA schemes everyday. Here, we present an attempt at a modern threat model of MFA schemes today, with a breakdown of both classic and novel tools and techniques and what security teams responsible with enforcing MFA can do about it.