We used to think MFA would protect against breaches, but then 2022 happened. Leading tech companies like Okta, Twillio, Uber and Dropbox were all breached as a result of MFA failures. At this point it’s clear that it is no longer a question of “whether” you have MFA, but “how” you do MFA.
Unfortunately, there is an alphabet soup of different MFA techniques, and it’s difficult to decipher what each MFA technique really does, or what attacks it prevents. (Go ahead, try to read the webauthn standard yourself!)
In this talk, I’ll get back to the basics. I'll answser the question how does MFA work, I’ll go over the most popular forms of MFA (SMS-based, phone-based, TOTP, Webauthn, yubikey) and explain, in simple terms, how each of them actually works and what attacks they actually stop (or don’t stop!) At the end of this talk you’ll learn why “just using a hardware key” isn’t always the right answer, and how to build out an authentication scheme that will protect your organization in the face of inevitable MFA attacks in 2023.
We used to think MFA would protect against breaches, but then 2022 happened. Leading tech companies like Okta, Twillio, Uber and Dropbox were all breached as a result of MFA failures. At this point it’s clear that it is no longer a question of “whether” you have MFA, but “how” you do MFA.
Unfortunately, there is an alphabet soup of different MFA techniques, and it’s difficult to decipher what each MFA technique really does, or what attacks it prevents. (Go ahead, try to read the webauthn standard yourself!)
In this talk, I’ll get back to the basics. I'll answser the question how does MFA work, I’ll go over the most popular forms of MFA (SMS-based, phone-based, TOTP, Webauthn, yubikey) and explain, in simple terms, how each of them actually works and what attacks they actually stop (or don’t stop!) At the end of this talk you’ll learn why “just using a hardware key” isn’t always the right answer, and how to build out an authentication scheme that will protect your organization in the face of inevitable MFA attacks in 2023.