Peerlyst Tel Aviv Security meetup - Why is MFA useless.


The use of Multi-Factor Authentication is becoming more and more common online, especially in E-commerce. I believe that a true end-to-end monitoring system should be able to cover MFA steps without special tweaks.

This talk will describe the 3 most common methods used today to implement MFA:

• SMS code verification

• Automated phone-call that either reads a X-digits code or requires you to dial one yourself

Time-based One Time Password (TOTP) algorithm using dedicated apps such as Google Authenticator / 1Password / Okta /etc. ( )

After understanding the differences between the above methods, we'll walk through one way to automate each form of MFA. While SMS and TOTP are relatively easy to automate, automating phone calls and speech-to-text is more complicated. In order to address that challenge, this talk will introduce a new technology: Asterisk - an open-source telecommunications engine.

The talk will feature 3 live demos, one for automating each MFA form:

• How to use Twillio's API to automate the reception of SMS with verification code

• How to use a Python library and a pre-configured user account to automate TOTP

• How to use Asterisk and Amazon's ASR (automatic speech recognition) to automate the reception OR typing of a verification code of an automated phone call

All the demos and code-samples (including a dedicated Asterisk Dockerfile with the relevant configuration) will be open-sourced before the presentation will start.

Presenter: Or Polaczek, Research Engineer / Mobile Lead at Forter


Or is a Network Security R&D Specialist with 7+ years of experience. He's currently working as a Research Engineer at Forter - developing (and testing) new methods aimed to catch credit-card fraudsters. While working at Forter, Or created Forter's Mobile SDK and established the testing and monitoring infrastructure for the company's client-side components (scripts and SDKs). Prior to that, Or has developed a WebRTC-based VoIP SDK currently running on millions of devices. Or has also served as a Network Security Researcher in the Israeli Ministry of Defense for 3 years.