Kevin Mitnick Video: Passwordless MFA

Video transcript

Hi. I’m Kevin Mitnick and I’m excited to share this cool demo of how I can log on to my online sites including my email without using any passwords. I can authenticate, meaning I could prove who I am just by using my mobile phone and my driver’s license.

So, why not use passwords? How many passwords do you have? How many could you remember?

I have tons of passwords to various online services and I use a password manager to manage them. But, I still have to use a master password to unlock everything.

But when you use a password, you have to remember it. You have to type it in. You could be sitting at an airport and you could be typing in your password and somebody could be looking over your shoulder and they can get your password. Or, you might be the victim of a phishing attack and there’s lots of fishing attacks out there that do what they call credential harvesting. They trick users into typing in their username and password to log into something which [you] may think is [your] email or [you] may think is one of [your] online sites. But, it’s really an attacker-controlled website and now the bad guys have your username and passwords.

And worse yet, [the] keystrokes you enter is monitored by the bad guys, which obviously includes your username and password.

And, of course, the easiest way nowadays: everyday we hear about a data breach in the news. Big companies databases, which include their customers and their clients usernames and passwords, are released to the public by the bad guys and then [the passwords] are aggregated [to] certain sites out there like weleakinfo.com where you could actually search through these aggregated databases and find people’s user names and passwords. And unfortunately, people don’t change their passwords that often or they use a pattern that’s similar to their current password. So, it doesn’t take much work for the bad guy to work it out.

So, let me show you how you can get rid of passwords and use an easier technology or an easier way to get in and protect yourself against some bad actors getting your password.

So let me show you how this works.

I’m going to go ahead and try to log into my Gsuite account. I’m going to bring out my mobile phone here and instead of logging in with my username and password I’m going to use this application developed by Trusona, where again, I could prove who I am just with my mobile phone and my driver’s license.

So, instead of using my username and password here, which won’t work, I’ll try to sign in. The sign in will fail because it’s been configured to only allow me to sign in using the no passwords Trusona app.

I’m going to click the Trusana sign in now.

What I’m going to have to do with my mobile phone is click scan and scan the QR code. Then what happens is, the application wants to confirm that I’m indeed trying to access this website or my email or whatever.

So, now I’m going to have to go ahead and accept it.

So, we’ll do that and then the next step is actually proving who I am so the way we do that is with my driver’s license here. But, we don’t look at the front [of the driver’s license]. We use the built-in camera of the phone to look at the back of the license, which I’ll do now. I scan the back of the license.

That’s all it takes to authenticate my identity. So, now I go ahead and click on my Gmail here—I should be logged in and I didn’t have to type in any password whatsoever. Here I am I’m in my email.

This is a newer type of technology and I think we’re going to see wide adoption of this in the near future. So, I wanted to bring it to your attention.