Unlike most analyst or vendor-related reports, this is an independent, critical assessment of authentication technologies and methods.
This talk covers multi-factor authentication, and what to look for if you are planning a product refresh, or implementing a solution for the first time. Since there are over 200 authentication vendors, it is not easy to select the best solution for your needs. This talk will arm you with questions to ask, plus identify some suboptimal technologies to avoid. Your feedback to vendors will help them provide better, more secure products and services.
Just say, “No,” or request alternatives for the following suboptimal choices in some multi-factor authentication products:
• 2D fingerprints, other already-hacked or easily hacked biometrics
• Quick Response (QR) codes
• Short Message Service One-Time Password (SMS OTP)
• JavaScript requirements
• Weak account recovery methods
• Overreliance on GPS
• Lack of mobile device risk analysis
• Lack of checks for OWASP Mobile Top 10 Risks for mobile apps
• Encryption with backdoors, or mysterious constants or “magic numbers” of unknown provenance.”
• Elastic definition of multi-factor authentication: there is a growing chasm between NIST’s definition and newer definitions from some vendors.
Video to the talk
