A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Subscribestar or Patreon

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle


Modlishka - Is a Mantis Eating 2FA's Lunch? - Lance Peterman Derbycon 2019 (Hacking Illustrated Series InfoSec Tutorial Videos)

Modlishka - Is a Mantis Eating 2FA's Lunch?
Lance Peterman
Derbycon 2019

In January this year, a Polish security researcher named Piotr Duszynski released a pen testing toolkit named Modlishka, (which loosely translates in English to Mantis) that can automate attacks against websites that use either SMS or OTP based two-factor authentication (2FA). While this is certainly concerning, the ability to co-opt some of these methods of 2FA is hardly new. Yet, the common response from some security pundits was that 2FA as an entire category was under assault and likely to fail. Instead of embracing the 'security panic theater' and wringing my hands, I'll review the current 2FA threat landscape, take a look at practical steps to mitigate those threats, and then I?ll review the current/future state of 2FA and alternative authentication methods.

Lance Peterman is Enterprise Security Architect at Merck. With more than 20 years of experience working in various sectors of the technology industry, Lance?s current focus has been in specialized areas of information security, including identity and access management, risk management, cybersecurity and mobility. Lance is also a member of the adjunct faculty at the University of North Carolina - Charlotte, teaching software architecture and design. He is a founding member of IDPro and currently serving on its board of directors. Active credentials include CISSP and PMP.

@lpeterman

Back to Derbycon 2019 video list

Printable version of this article

15 most recent posts on Irongeek.com:


    If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

    Copyright 2019, IronGeek
    Louisville / Kentuckiana Information Security Enthusiast