Skip to main content

Traditional two-factor authentication is dead.

(0 comments)

At Bsides Atlanta last week, Eric Smith (@infosecmafia) and Dave Kennedy (@dave_rel1k) demonstrated a real-time attack against a Juniper SSL-VPN that by-passes the authentication method used including time-bound one-time passcodes.  (Dave's post on "Traditional Penetration Testing is DEAD" on their BSidesAtlanta talk inspired my title. ;)

This type of attack against SSL and DNS has been predicted for some time, taking advantage of user's willingness to accept any SSL certificate.  Kudos to Eric and Dave for showing how this type of attack combined with a strategically aimed penetration test can really wreak havoc on an enterprise.

It's quite easy to perform a MiTM attack these days with malware, a rogue WiFi AP or a DNS cache poisoning.  it is a serious concern and worth addressing.

The good news is that we have addressed it.  WiKID has long supported a system of mutual https authentication that validates the SSL certificate for the end user before they are presented the one-time passcode, in both the open-source Community Edition and the Enterprise Edition.  The token will attempt to match a hash of the targeted site's certificate with one retrieved from the WiKID Strong Authentication Server. If they match, the OTP is presented and the browser is launched to the URL. If they do not match, an error message is presented.

I made a quick screencast demonstration to show how this works.  Enjoy!


 

Currently unrated

Comments

There are currently no comments

New Comment

required

required (not published)

optional

Recent Posts

Archive

2018
2017
2016
2015
2014
2013
2012
2011
2010
2009
2008

Categories

Tags

Authors

Feeds

RSS / Atom