Philipp Markert , Florian Farke, and Markus Dürmuth View The Email to Get Hacked: Attacking SMS-based Two-Factor Authentication Santa Clara, California, USA | WAY 2019 | August 11, 2019
Philipp Markert, Florian Farke, and Markus Dürmuth
View The Email to Get Hacked:Attacking SMS-based Two-Factor Authentication
Santa Clara, California, USA | WAY 2019 | August 11, 2019
1
Two-Factor Authentication
1 2
1
2FAAdoption
Gmail Confidential
Mode
Attacking Google’s
2FA
Are there alternatives?
3
2FAAdoption
analyzed top 100 websites
75 left
57 left
31 offer 2FA
25no login
18duplicates
26no 2FA
* Le Pochat et al. Tranco: A Research-Oriented Top Sites Ranking Hardened Against Manipulation. NDSS ’193
*
31 websites offer 2FA
25 (81%)
7 (23%)
4
24 (77%)
Gmail Confidential
Mode5
6
7
8
Tonight’s door code:
long long short long
9
Link
Tonight’s door code:
long long short long
https://confidential-mail.google.com/msg/...
10
Link
Tonight’s door code:
long long short long
11
2FA Confidential Mode
12
Attacking Google’s
2FA
[email protected]: wonderland
12
13
1. Email
13
1. Email
https://confidential-mail.google.com/msg/…
https://confidential-mail.oscar.com/msg/...
13
1. Email
4. 6. G-123456
3. Login
13
1. Email
5. G-1234562.
Confidential Mode
14
Are therealternatives?
14
1. Improve the text of the SMS
2FA
ConfidentialMode
14
1. Improve the text of the SMS
14
1. Improve the text of the SMS
15
2. Use a Software Token
3. Use a Hardware Token
16
Philipp Markert, Florian Farke, and Markus Dürmuth
View The Email to Get Hacked:Attacking SMS-based Two-Factor Authentication
Santa Clara, California, USA | WAY 2019 | August 11, 2019