Skip to content

Latest commit

 

History

History
40 lines (39 loc) · 3.72 KB

outline.md

File metadata and controls

40 lines (39 loc) · 3.72 KB
Raw
  1. The Distant Past
    1. Idea developed out of One Time Pads for bankers - add a "test word" to the cipher to demonstrate authenticity
    2. Bellovin, 2011
    3. Bank card + pin
  2. The Digital Age
    1. Ad hoc solutions
      1. Are there examples of ad-hoc solutions prior to standardization?
      2. Patented applied for 1984, granted in 1988 - RSA Key Patent
      3. First sold in 1986 - Press Release Announcing 10 millionth Key Sold
      4. Mostly used by enterprises to secure access to corporate systems
      5. No IETF standards for another 20 years, why not? What algorithm was RSA using?
    2. Standardization
      1. IETF RFC 4226 (HOTP 2005) and RFC 6238 (TOTP 2011)
      2. RSA spreads 2FA to other devices in 2006 - RSA Press Release
      3. Late 2009/Early 2010 - Google hacked by China, looking for dissident's Gmail accounts. Guardian
      4. Initial release of Google Authenticator (Apps for Domains): September 20, 2010 TechCrunch Article
      5. Subsequent release for consumer accounts: February 10, 2011 Google Blog Post
    3. Spread of access
      1. Facebook announces "Login Approvals": May 12, 2011 Facebook Posting
      2. Google Authenticator and the server side software it works with are initially open source
      3. And based on open standards from IETF
      4. Google encourages other sites to implement?
      5. 2012 - Matt Honan Gets "Epically Hacked". In the second paragraph he says that had he used 2FA it would have been avoided.
      6. June 2012 - Google starts warning of state sponsored attacks, encourages victims to use two-factor. Google Blog
      7. October 2013: EFF encourages people to turn on Two-Factor
      8. 2013, Google closes source on Authenticator, though it is still interoperable with third party HOTP and TOTP servers
      9. 2013, FreeOTP launched to provide open source alternative. Also existing is OTP Authenticator
      10. Twitter announces "Login Verification": May 22, 2013 Twitter Blog Post
      11. Not all services use an Authenticator app
        1. Twitter uses the Twitter app, Steam uses Steam app
        2. Some services use SMS (talk about unique issues regarding interception)
    4. Public pressure mounts
      1. Two Factor Auth lists who does and doesn't support. Has twitter links to tell sites that don't have it that you want it.
      2. Chris Soghoian makes a name by calling on people to turn on 2FA ACLU Blog Post and Bloomberg Article
    5. Next Steps
      1. Two-factor authentication doesn't solve all phishing, just makes it harder.

@deray hacked in 2016 on SMS Still succeptible to phishing U2F next step