Understanding the Time-Based One-Time Password (TOTP) Algorithm Used for Multi-Factor Authentication (MFA)

Using multi-factor authentication is a commonly recommended practice for securing user accounts, and it’s available across a range of services today such as Gmail, AWS, Azure, Facebook, Twitter, etc. One of the methods for MFA is to use a third party mobile app like Google Authenticator to generate security codes that are verified by the service. How does this work exactly?

Continue reading “Understanding the Time-Based One-Time Password (TOTP) Algorithm Used for Multi-Factor Authentication (MFA)”

Trying Harder and Passing the OSCP: A Developer’s Perspective

In my line of work, I design and develop enterprise products in the information security and risk management domains. These products generally serve blue teams, and I’ve wanted for a while to get the red team perspective.

So last Fall, I put myself through a self-imposed boot camp: earning the OSCP (Offensive Security Certified Professional) certificate. This is a intermediate-level certificate geared towards penetration testers. Before taking the exam, students spend significant self-directed time (30 to 90 days) in a specially constructed lab environment honing their hacking skills. The exam itself is a 24-hour test in which students are dropped into a network and need to gain admin access to as many machines as possible.

Below is a summary of my journey, along with tips for aspiring students.

Continue reading “Trying Harder and Passing the OSCP: A Developer’s Perspective”