Two Factor Authentication (2FA) systems are required by security standards and help to solve the many weaknesses of password authentication, and are increasingly found both in enterprise systems and in general web applications.
Unfortunately, many 2FA systems have vulnerabilities - some glaring, some more subtle - and 2FA systems have frequently sacrificed security to be more usable.
We will demonstrate the vulnerabilities of various 2FA systems, including a new form of attack against mobile phone based TOTP (RFC 6238) systems, and describe best practices for deploying 2FA of various types.