Two-factor authentication has become almost commonplace in defending against ubiquitous credential brute-forcing and has reduced the criticality of password theft.
However there is a component of the original RFC (request-for-comment) that has been overlooked and undervalued. Meaning that 2FA in its current form is not as effective at mitigating phishing and replay attacks as it could be.
This talk will demonstrate attacks against time-based and HMAC-based OTP (one-time pad) authentication, and will propose detailed countermeasures and mitigations for these attacks.
