The caveats of implementing smart cards and MFA in Active Directory

Many organisations are trying to get rid of the problems resulting from password-based authentication by implementing smart cards or other forms of MFA. However, in this talk we will demonstrate that the low level details of how these mechanisms fit into the Kerberos and NTLM protocols can have large security consequences.

In recent years many organisations have implemented smart card authentication or other forms of multi-factor authentication as a measure to reduce the risks associated with traditional password-based authentication. However, the low level details of underlying protocols in Windows networks such as Kerberos and NTLM introduce new security caveats when combined with smart cards. Although secure algorithms and protocols are used as building blocks, they can still yield insecure cryptographic systems when combined. In this talk we will demonstrate this via various practical attacks when smart cards or MFA are used in Windows networks.