Saturday 3:15 p.m.–3:45 p.m.

Multi-factor Authentication - Possession Factors

Ying Li

Audience level:
Best Practices & Patterns


A brief overview of what multifactor authentication is, focusing particularly on possession factors, including what common options are available. One-time-passwords, an important concept many possession factor types, will also be discussed.


Even the most non-technical people use dozens of online services each day. Each day, both the servers running those services and the clients used to access them are being targeted and compromised by attackers. If your login and password haven't been part of a major breach yet, it's only a matter of time. Multi-factor authentication can defend against threats that can trivially defeat simple single-factor ("just a password") authentication. As a result, many popular online services, including Blizzard's Battle.Net, Google, Github, and Twitter have been incorporating multi-factor authentication in the last few years. This talk is a brief overview of multi-factor authentication, including what attacks it defends against is and what common options are available. This information should be useful to both those who have the opportunity to enable multi-factor authentication on services they use and providers of services who might be wondering whether they should provide multi-factor authentication. This talk will also cover a one-time-passwords, an important concept in one form of multi-factor authentication, as well as give some general guidelines on implementing two-factor auth in some common Python web frameworks.