Amid many calls to "kill the password" with strong auth, we'll show -- by studying some issues in Google's 2FA deployment -- how this may be harder (and more perilous) than it sounds...
Earlier this year, we reported that an attacker could bypass Google's two-step login verification, reset a user's master password, and otherwise gain full account control, simply by capturing a user's application-specific password (ASP). While Google has taken some steps to mitigate the most serious threats, ASPs still present a number of threats to Google's users. However, Google is not alone -- their implementation of ASPs serves as a useful case study for anyone seeking to use strong authentication to "kill the password".
We'll discuss the specific flaws in Google's initial ASP implementation and the threats that remain, some analogous issues in other systems, and the broader lessons that we can learn from this experience.