Explore the evolving landscape of multi-factor authentication (MFA) schemes and learn techniques for both evading and protecting against advanced attacks in this 47-minute conference talk from Derbycon 2018. Delve into pre-authentication setups, real-time phishing methods, and post-authentication strategies for surveying and exploiting vulnerabilities. Examine post-exploitation techniques targeting MFA management and integration, and discover defense-in-depth approaches for pre-authentication and post-exploitation scenarios. Gain valuable insights into the complexities of modern MFA systems and how to strengthen security measures against sophisticated evasion tactics.
Overview
Syllabus
Intro
Roadmap
Introduction
An Evolving Multi-factor Landscape
Pre-Authentication: The Setup
Pre-Authentication: Casing the Joint
Real-Time Phishing with Reel Phish
Honorable mention: Exchange
Pre-Authentication - What MFA isn't
Pre-Authentication - Attack Phones
Post-authentication - Surveying the Land
Post-authentication - Making a New Set of Keys
Post-Exploitation - When The Attacker Has Everything
Post-Exploitation -Targeting MFA Management
Post-Exploitation - Targeting MFA Integration
Post-Exploitation - Fail Un safe?
Defense-in-Depth - Pre-Authentication
Defense-in-Depth - Post-Exploitation
Summary
