The use of Multi-Factor Authentication is becoming more and more common online, especially in E-commerce. I believe that a true end-to-end monitoring system should be able to cover MFA steps without special tweaks.
This talk will describe the 3 most common methods used today to implement MFA:
- SMS code verification
- Automated phone-call that either reads a X-digits code or requires you to dial one yourself
- Time-based One Time Password (TOTP) algorithm using dedicated apps such as Google Authenticator / 1Password / Okta /etc.
After understanding the differences between the above methods, we'll walk through one way to automate each form of MFA. While SMS and TOTP are relatively easy to automate, automating phone calls and speech-to-text is more complicated. In order to address that challenge, this talk will introduce a new technology: Asterisk - an open-source telecommunications engine.
The talk will feature 3 live demos, one for automating each MFA form:
- How to use Twillio's API to automate the reception of SMS with verification code
- How to use a Python library and a pre-configured user account to automate TOTP
- How to use Asterisk and Amazon's ASR (automatic speech recognition) to automate the reception OR typing of a verification code of an automated phone call
All the demos and code-samples (including a dedicated Asterisk Dockerfile with the relevant configuration) will be open-sourced before the conference will start.