2024-11-23 –, Ngaio Marsh Theatre
MFA, everyone says you should be using it. We say that too, but not all MFA is created equal, and some MFA implementations have issues. Having tested many systems over the years we have seen some “interesting” implementations with weird behaviour which allows for bypassing MFA. Knowing these gotchas will help you find these issues and hopefully avoid the same mistakes.
This talk will provide background on what MFA is and why we should be using it. MFA often has pitfalls in its implementation, allowing attackers to bypass it. We will present a range of bypass techniques that we have seen through our testing over the years & how to identify them. In addition, we suggest how these issues could have been avoided. This discussion will also help the hunters with new ideas of what they can be looking for when reviewing MFA implementations or trying to bypass MFA on a red team. We finish with what you should be doing to avoid these MFA implementation issues.
Dave/Karit in his time working in various parts of the IT industry has developed a skillset that encompasses various disciplines in the information security domain. Dave currently works as a Penetration Tester in Wellington and runs Kākācon.
Dave has presented at a range of conferences such as DefCon, Kiwicon, Aerospace Village @ DefCon, BSidesCBR, CHCon, Unrestcon and at numerous local meetups; along with running training at Kiwicon, Syscan, CrikeyCon, CHCon and TuskCon. He also has a keen interest in aerospace, lock-picking and all things wireless.
Jacob has a background in IT infrastructure that began with maintaining on-premise environments, eventually evolving into “the cloud”... With a passion for IT security he moved into blue team roles specialising in cloud security. Jacob now works as an offensive security consultant in Wellington, specialising in devops and cloud security.
When not wrangling security he has a keen interest for tinkering with hardware, 3D printing, self-hosting, gaming and recently navigating (for him) the uncharted waters of parenthood.