WEBVTT

00:00:00.000 --> 00:00:05.000
Okay, got it. Record to the cloud, record to this computer. Cloud, I guess.

00:00:05.000 --> 00:00:10.000
Okay.

00:00:10.000 --> 00:00:16.000
Hello, everyone. We are presenting our Video Project 1 on multi-factor authentication.

00:00:16.000 --> 00:00:23.000
In this session, we'll explain what MFA is. why it is important, how it is implemented.

00:00:23.000 --> 00:00:33.000
How it is used in both business and personal computing, and how it will… how it can be bypassed or defeated.

00:00:33.000 --> 00:00:43.000
So, what is MFA? MFA simply means verifying a user's identity with more than one independent factor.

00:00:43.000 --> 00:00:49.000
Instead of relying only on password, MFA combines two or more probes.

00:00:49.000 --> 00:00:56.000
Something you know, something you have, and something you are. For example, entering a password and approving a code.

00:00:56.000 --> 00:00:59.000
on your phone. The goal is to make it.

00:00:59.000 --> 00:01:07.000
far harder for someone. Else to impersonate you.

00:01:07.000 --> 00:01:14.000
Why MFA matters. Most data breaches start with stolen or reused password.

00:01:14.000 --> 00:01:20.000
MFS stops many of those attacks, because even if a password is leaked.

00:01:20.000 --> 00:01:30.000
An attacker still needs that second factor. It's also a compliance requirement in most regulated industries, like healthcare, banking, and education.

00:01:30.000 --> 00:01:40.000
Essentially, MFS rings the attack, surface, and limits the blast radius of credential tab.

00:01:40.000 --> 00:01:46.000
The three classic categories are something you know. like a password or a PIN.

00:01:46.000 --> 00:01:55.000
Something you have, such as a smartphone or a hardware key, and something you are, like a fingerprint or facial recognition.

00:01:55.000 --> 00:02:04.000
Some modern systems. add a fourth layer called context, such as device health, location, or time of access.

00:02:04.000 --> 00:02:11.000
to adaptively raise or lower challenge levels. Now my colleague will explain you.

00:02:11.000 --> 00:02:16.000
about later slides.

00:02:16.000 --> 00:02:20.000
There are different ways to implement WFA.

00:02:20.000 --> 00:02:27.000
centralized single sign-on on systems, apply one MFA policy across multiple applications.

00:02:27.000 --> 00:02:32.000
Step Up MFA triggers an extra factor only for sensitive actions.

00:02:32.000 --> 00:02:38.000
Risk-based or adaptive MFA uses analytics to decide when a challenge is needed.

00:02:38.000 --> 00:02:40.000
And finally, passwordless authentication.

00:02:40.000 --> 00:02:49.000
like, 502, or Web Authentication, binds the credential to the device itself, removing passwords entirely.

00:02:49.000 --> 00:02:57.000
In business, MFA protects access to email, VPNs, internal systems, reducing insider risk, ensuring compliance.

00:02:57.000 --> 00:03:04.000
Personally, it protects your social media, banking, uh, online banking, and clouded accounts from hijacking.

00:03:04.000 --> 00:03:13.000
Both contexts share one mission, eliminating password-only authentication as a single point of failure.

00:03:13.000 --> 00:03:15.000
MFA is powerful.

00:03:15.000 --> 00:03:22.000
but not invincible. Attackers use phishing proxies to intercept one-time codes or tokens.

00:03:22.000 --> 00:03:29.000
They cause push fatigue by sending multiple approvals prompt until users click yes out of annoyance.

00:03:29.000 --> 00:03:34.000
SIM swapping lets them steal SMS codes by hijacking a phone number.

00:03:34.000 --> 00:03:43.000
And weak recovery processes, like easy help desk resets, can bypass MFA entirely if not secured.

00:03:43.000 --> 00:03:47.000
And here's a real MFA bypass.

00:03:47.000 --> 00:03:49.000
how a real MFA bypass might happen.

00:03:49.000 --> 00:03:55.000
A user enters their login on a phishing site that securely forwards it to the real service.

00:03:55.000 --> 00:03:59.000
The victim then approves the legitimate MFA request.

00:03:59.000 --> 00:04:02.000
Not realizing it came from the attacker.

00:04:02.000 --> 00:04:07.000
The attacker captures that authenticated session token and gains full access.

00:04:07.000 --> 00:04:13.000
The lesson is that origin binding and short token lifetimes are essential.

00:04:13.000 --> 00:04:22.000
Um, to defend against these attacks, organizations should use phishing-resistant MFA, like hardware keys or platform biometrics.

00:04:22.000 --> 00:04:27.000
Tokens should expire quickly, and re-authentication should be required for sensitive tasks.

00:04:27.000 --> 00:04:30.000
Recovery processes must be strictly verified and locked.

00:04:30.000 --> 00:04:36.000
And perhaps most important, users need training to recognize fraudulent prompts or suspicious login

00:04:36.000 --> 00:04:40.000
activity.

00:04:40.000 --> 00:05:00.000
These are our references, and thank you.