The real reason why you shouldn't share OTP codes

It might not be what you think

One-Time Passwords, or OTPs are a widely used authentication factor in many online services, big and small. When I’m not ranting about them, I actually think they’re pretty good. So, today is not another attack on OTP or multi-factor authentication, but instead, an effort to educate people about how they work and what we need to do to ensure we stay safe. There are some misconceptions out there, so let’s try to correct them. [Read More]

In detail: SCRAM with channel binding

Visualising the process, discussing its shortcomings

In January, I asked whether TLS channel binding with strong authentication was the solution to defend against MITM or proxy style phishing attacks. The answer was “yes, but also no”. I will look beyond SCRAM soon, but first I want to fulfil a promise to go into more detail about how SCRAM works, especially with channel binding.

[Read More]

Channel Binding: Should you be using it?

Stopping phishing in its tracks... maybe

Authentication and in particular passwords are the bugbear of many cybersecurity professionals. For all the encryption, firewalls, IDS and other defences we put in place, if authentication doesn’t do its job properly, or a user’s credentials get stolen, a compromise is very likely. In the future, we might embrace password-less authentication, relying instead on biometrics, tokens and smart devices in various combinations. Indeed, some platforms do this already, but not all. [Read More]