On Monday night I presented on multi-factor authentication at the OWASP (Open Web Application Security Project) New Zealand Chapter meetup in Wellington.
The below video is a voice and slide recording of that presentation and is around 1 hour long. I also plan to provide a blog post in a few weeks that summarises my presentation further. Under the video I have provided a very high-level description of the presentation. My slides with speaker notes and references are available as a PDF download from GitHub.
Broken authentication remains firmly pegged at the #2 position in the OWASP top 10. We need to do more to make it harder for hackers who like us also face the challenges of limited time and resource, and we can do so by leveraging fundamental security concepts around layered defences, compartmentalisation, and secure data storage. There are several existing proven multi-factor authentication (MFA) strategies available, but many websites do not implement these strategies, not even high risk facilities such as online banking. So clearly there is value in improving the way we develop authentication in general and use multi-factor authentication for products, platforms and websites.
During the presentation I dove into the details of the Time-based One-Time Password (TOTP) algorithm, which you may have come across with Google Authenticator and other similar products. I explained how this algorithm works and the calculations performed to generate the same secure 6 digit token simultaneously on the user's device (often a smartphone) and the application or website where the user is being authenticated. I demonstrated an example ASP.NET Core 2.1 website and a console app TOTP token provider that I developed to further explain how to implement and unit test TOTP authentication. That code is available here in GitHub.
At the end of the presentation I briefly explored emerging authentication approaches that may help us get rid of passwords altogether to make authentication more secure and less onerous on users. This included FIDO2 and WebAuthn, implemented by Yubico's Yubikey hardware token provider, and emerging technologies enabling behaviour pattern recognition, such as that provided by Microsoft Azure Active Directory risk event detection.