The password isn't dead until it's dead everywhere

David Strauss

Adding two-factor authentication has been a topic for years. Unfortunately, security doesn't stop at adding 2FA to each single website.

We'll talk about why deploying Google Authenticator-style OTP isn't enough:

  • Managing OTP data for every site is tedious.
  • The tedium of tracking the data encourages use of Authy and 1Password.
  • Authy and 1Password have reduced the popular approach to not-really-two-factor.
  • Attackers will re-use passwords captured on compromised sites on systems that don't require 2FA.
  • Compromised websites can be a vector for attacks to other systems behind the same firewall, often using captured passwords.
  • Backends like LDAP or RADIUS make the problem worse by enforcing use of the same passwords and OTP secrets everwhere.

And what you can do:

  • Use federated identity:
    • For public users: support login with Google+, Facebook, Twitter, Microsoft, or other services
    • For internal users: using Google Apps or SAML
  • Use real hardware tokens, including the new, cheap U2F ones
  • Isolating website and internal networks

Session Track

Coding and Development

Experience Level


Drupal Version