Breaking Bad Multifactor: ​ MFA bypasses and how to assess the risks​
12-09, 10:55–11:40 (Europe/London), Track 2

As multifactor authentication (MFA) has continued to gain traction in mainstream information security practices criminals are not letting any grass grow under their feet. There are many ways to approach breaking into accounts protected by MFA and this talk is designed to go into the details of how the most common MFA methods work, how they may be bypassed, and the policies and tools we can use to find the appropriate level of security for each use case. The talk includes examples of real world attacks on MFA.

Of course Walter White will be assisting to deliver this messaging throughout the presentation in carefully chosen pre-recorded segments.

Multifactor authentication has been held up as a holy grail for some time among IT practitioners for heading off phishing attacks at the past, but it is no magical talisman. It is just another tool to impose costs on attackers and often comes with it's own problems. This talk will explain the modern types of multifactor authentication and how they work. This will let us analyse their weaknesses and we can explore how criminals have been bypassing each technique.

The final part of the presentation will propose some possible approaches to minimising the dangers and explore policies, technologies and monitoring to most effectively use advanced identity management to secure most organisations.

Chester Wisniewski is Director, Global Field CTO at Sophos. With more than 25 years of security experience, his interest in security and privacy first peaked while learning to hack from bulletin board text files in the 1980s, and has since been a lifelong pursuit. 

Chester works with Sophos X-Ops researchers around the world to understand the latest trends, research and criminal behaviors. This perspective helps advance the industry's understanding of evolving threats, attacker behaviors and effective security defenses. Having worked in product management and sales engineering roles earlier in his career, this knowledge enables him to help organizations design enterprise-scale defense strategies and consult on security planning with some of the largest global brands.