Here’s a 6 1/2 minute highlights reel of last Friday’s CISO Series Video Chat “Hacking Multi-Factor Authentication: An hour of critical thinking on best technologies, implementations, and adoptions of MFA”.
Joining me in this discussion were:
- Taylor Lehmann (@BostonCyberGuy), CISO, board member, H-ISAC
- Bojan Simic (@bojansimic), CTO and co-founder, HYPR
Got feedback? Join the conversation on LinkedIn.
HUGE thanks to our sponsor HYPR
Best Bad Ideas
An insane week of bad ideas, shattering previous bad idea records. We topped out at an insane 65 bad ideas, but John Prokap, InfoSec consultant with Prokap Advisors pulled it out with the simple and the stupid.
Other honorable mentions go to:
“Emotional Biometrics. You must be happy to login.” – George Avetisov, CEO and co-founder, HYPR
“Real time urine analysis for MFA.” – Chase Pettet, staff security architect, Mirantis
“Require the 4th factor for authentication… Something you don’t know!” – Shawn Bowen, CISO, Restaurant Brands International
“User must enter their current latitude & longitude to authenticate.” – Bob Henderson, founder, Intelligence Services Group
“Your cell phone shocks you five times with increasing strength. Your strangled cries are your voiceprint.” – Dutch Schwartz, strategic lead, AWS Global Security Services Team, AWS
Best quotes from the chat room
“Guys – appreciate that there are better ways of using MFA. But generally speaking, if a ‘non-tech savvy’ user has SMS based MFA, I think it should be celebrated because it will still mitigate the vast majority of account attacks.” – Ash Woodhall, cyber security consultant and owner, Practical Infosec Advisers
“If you offer MFA you have recognized the need for it, so to offer your service without it means you are now lacking in due diligence.” – Chase Pettet, staff security architect, Mirantis
“Knowledge-based verification, CAPTCHA or MFA frequently result in customer frustration and abandonment of an enrollment, login or purchase.” – Sandeep Kamble, founder and CEO, SecureLayer7
“MFA does NOT mean that there needs to have an inverse relationship between security and UX.” – Jim Lindsay, investor, Identite
“SMS is still better than not having any MFA. Have to start somewhere. Make it harder.” – Benjamin Corll, CISO, Coats
“Using SMS for 2-FA is technically delegating your identity management to telecoms.” – Jakub Kaluzny, senior IT security consultant, SecuRing
“Vendors who charge a security tax will get a stern lecturing from me and I will select a competitor who doesn’t charge if I can.” – Shawn Bowen, CISO, Restaurant Brands International