Bypass 2FA, Stealing Private Keys without Social Engineering, and the Introduction to “2FAssassin”.
The effectiveness of the 2FA depends on how well a user protects “something only the user has”. What if there are ways to steal the private keys from someone, without performing social engineering? In this talk, I’ll introduce and demonstrate the techniques to bypass Two-Factor Authentication. I’ll show you in real life how an attacker steals the client certificates and obtaining the private keys to authenticate the secured websites, as well as presenting the impacts of the aftermath. I will also introduce my tool (2FAssassin) to exploit the vulnerabilities that caused the leakage of private keys, compromise the entire network with the looted private keys. Nevertheless, the talk will end with recommendation to protect the private keys from been stolen, as well as what to do during the worst case scenario.