SlideShare ist ein Scribd-Unternehmen logo

A Tale of Two Factors

K
Kelley Robinson

Join us as we explore the modern landscape of Two Factor Authentication (2FA). This talk will discuss the history of authentication, why 2FA is a necessary security layer, and introduce the different types of factors available. We'll dive into a detailed comparison of methods like SMS, Soft Tokens, Push Authentication, and YubiKeys. From cryptographic security strength to user experience, we will break down the benefits and downsides for the different methods and provide guidance for choosing the right methods for your business. Finally, the session will walk through example Python code for implementing time-based one time passcodes (Soft Tokens) like you see in apps like Google Authenticator, Authy, or Duo.

Ingenieurwesen
1 von 45
Downloaden Sie, um offline zu lesen
© 2019 TWILIO INC. ALL RIGHTS RESERVED. A Tale of Two Factors Kelley Robinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED. !👋 @kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 🏗 What are we building?
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 💰 💰 💰 A. Your users have something of value connected to an account % & ' Assumptions
© 2019 TWILIO INC. ALL RIGHTS RESERVED. % & ' B. A user can only access the value once they are authenticated Assumptions 💰 💰 💰
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 💰 💰 💰 % & ' C. A successful impersonator could also access that value AKA "account takeover" (ATO) Assumptions
h a v e i b e e n p w n e d . c o m
© 2019 TWILIO INC. ALL RIGHTS RESERVED. • Compromised factors (hacked, guessed, brute forced, phished) • Financial losses 🚩 What can go wrong?
© 2019 TWILIO INC. ALL RIGHTS RESERVED. COST O F ACCOU NT TAK EOVE R Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $2.3 $1.5 $3.9$3.9 $5.0 $3.1
© 2019 TWILIO INC. ALL RIGHTS RESERVED. COST O F ACCOU NT TAK EOVE R Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1
© 2019 TWILIO INC. ALL RIGHTS RESERVED. COST OF ACCOUNT TAKEOVER Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1 ATO FRAUD COST $4.0 BILLION IN 2018
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 🔐 What are we going to do?
© 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE BIOMETRIC POSSESSION MOBILE DEVICE KNOWLEDGE PASSWORD AUTHENTICATION FACTORS
SMS One-time Passwords ✅ Easiest user onboarding ✅ Familiar ❌ SS7 attacks ❌ SIM swapping ❌ Web portals © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723
SMS One-time Passwords Convenient but insecure © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723
Soft Tokens (TOTP) 🔸 Symmetric key crypto ✅ Available offline ✅ Open standard ❌ App install required © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Soft Tokens (TOTP) © 2019 TWILIO INC. ALL RIGHTS RESERVED. Pretty good option but not perfect
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication ✅ Action context ✅ Denial feedback ✅ Asymmetric key crypto ✅ ❌ Low friction 🔸 Proprietary
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication Convenient and secure, but maybe too convenient?
WebAuthn ✅ Not easily phishable ✅ Asymmetric key crypto ✅ Open standard ❌ Distribution & cost ❌ New technology © 2019 TWILIO INC. ALL RIGHTS RESERVED.
WebAuthn Secure but not always convenient. Will become more common "soon" © 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED. SMS 2FA is still better than no 2FA
100% AUTOMATED BOTS 96% BULK PHISHING ATTACKS 76% TARGETED ATTACKS SMS 2FA Google study found SMS 2FA effectively blocks @kelleyrobinson https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
100% AUTOMATED BOTS 99% BULK PHISHING ATTACKS 90% TARGETED ATTACKS PUSH AUTHENTICATION @kelleyrobinson Google study found Push Authentication effectively blocks https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
© 2019 TWILIO INC. ALL RIGHTS RESERVED. How to drive adoption of MFA “It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
© 2019 TWILIO INC. ALL RIGHTS RESERVED. How to drive adoption of MFA 75% 100%2% 40% Users will act on perceived value of their time profile settings onboarding prompt product incentives required
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED. FACTORS ARE NOT UNIVERSAL
© 2019 TWILIO INC. ALL RIGHTS RESERVED. VERY OFFICIAL RI SK ASSE SSMENT Account value Targetlikelihood value includes: Money, Information, Control, Power
© 2019 TWILIO INC. ALL RIGHTS RESERVED. “We learned that SMS-based authentication is not nearly as secure as we would hope. ”Reddit Security Incident Disclosure - 2018-08-01
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Potential Reddit 2FA Model *might be managed by IT, not dev Employees* Moderators Everyone else Required token based 2FA Required 2FA Optional 2FA
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Potential Reddit 2FA Model Employees* Moderators Everyone else Required token based 2FA Required 2FA Optional 2FA Incentives: karma
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA Incentives: 💰 💰 💰
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Package owners Everyone else Potential PyPI 2FA Model Required 2FA Optional 2FA
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Additional considerations • Account recovery • Protecting actions other than login • Success metrics
😈 Number of compromised accounts ⬇ © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Did we do a good job? ℹ Support costs relative to losses ⬇ 💰 Losses due to account takeover ⬇ 😃 Customer satisfaction ⬆
© 2019 TWILIO INC. ALL RIGHTS RESERVED. “When we exaggerate all dangers we simply train users to ignore us.” Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
© 2019 TWILIO INC. ALL RIGHTS RESERVED. THANK YOU! @kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED. APPENDIX
© 2019 TWILIO INC. ALL RIGHTS RESERVED. TOTP Algorithm RFC 6238
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.

Empfohlen

Protecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuseProtecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuse
Kelley Robinson
 
Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)
Kelley Robinson
 
Auth on the web: better authentication
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authentication
Kelley Robinson
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
Kelley Robinson
 
Introduction to Public Key Cryptography
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key Cryptography
Kelley Robinson
 
2FA in 2020 and Beyond
2FA in 2020 and Beyond2FA in 2020 and Beyond
2FA in 2020 and Beyond
Kelley Robinson
 
Identiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FAIdentiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
 
Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA world
Kelley Robinson
 

Empfohlen

Protecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuseProtecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuse
Kelley Robinson
 
Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)
Kelley Robinson
 
Auth on the web: better authentication
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authentication
Kelley Robinson
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
Kelley Robinson
 
Introduction to Public Key Cryptography
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key Cryptography
Kelley Robinson
 
2FA in 2020 and Beyond
2FA in 2020 and Beyond2FA in 2020 and Beyond
2FA in 2020 and Beyond
Kelley Robinson
 
Identiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FAIdentiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
 
Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA world
Kelley Robinson
 
Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIR
Kelley Robinson
 
Intro to SHAKEN/STIR
Intro to SHAKEN/STIRIntro to SHAKEN/STIR
Intro to SHAKEN/STIR
Kelley Robinson
 
PSD2, SCA, WTF?
PSD2, SCA, WTF?PSD2, SCA, WTF?
PSD2, SCA, WTF?
Kelley Robinson
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala Community
Kelley Robinson
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center Authentication
Kelley Robinson
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ Startups
Kelley Robinson
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center Authentication
Kelley Robinson
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMS
Kelley Robinson
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
Kelley Robinson
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical Cryptography
Kelley Robinson
 
2FA Best Practices
2FA Best Practices2FA Best Practices
2FA Best Practices
Kelley Robinson
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
Kelley Robinson
 
2FA, WTF!?
2FA, WTF!?2FA, WTF!?
2FA, WTF!?
Kelley Robinson
 
2FA WTF
2FA WTF2FA WTF
2FA WTF
Kelley Robinson
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
2FA, OTP, WTF?
2FA, OTP, WTF?2FA, OTP, WTF?
2FA, OTP, WTF?
Kelley Robinson
 
Forget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for ScalaForget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 

Weitere ähnliche Inhalte

Mehr von Kelley Robinson

Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center Authentication
Kelley Robinson
 
Forget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for ScalaForget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson
 

Mehr von Kelley Robinson (20)

Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIR
 
Intro to SHAKEN/STIR
Intro to SHAKEN/STIRIntro to SHAKEN/STIR
Intro to SHAKEN/STIR
 
PSD2, SCA, WTF?
PSD2, SCA, WTF?PSD2, SCA, WTF?
PSD2, SCA, WTF?
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala Community
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center Authentication
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ Startups
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center Authentication
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMS
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical Cryptography
 
2FA Best Practices
2FA Best Practices2FA Best Practices
2FA Best Practices
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
2FA, WTF!?
2FA, WTF!?2FA, WTF!?
2FA, WTF!?
 
2FA WTF
2FA WTF2FA WTF
2FA WTF
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 
2FA, OTP, WTF?
2FA, OTP, WTF?2FA, OTP, WTF?
2FA, OTP, WTF?
 
Forget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for ScalaForget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for Scala
 

Kürzlich hochgeladen

Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Call Girls in Nagpur High Profile
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
roncy bisnoi
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
rknatarajan
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
ranjana rawat
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
ranjana rawat
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
ankushspencer015
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
Tonystark477637
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Kürzlich hochgeladen (20)

Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
Call Girls Pimpri Chinchwad Call Me 7737669865 Budget Friendly No Advance Boo...
 
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICSUNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
UNIT-IFLUID PROPERTIES & FLOW CHARACTERISTICS
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
chapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineeringchapter 5.pptx: drainage and irrigation engineering
chapter 5.pptx: drainage and irrigation engineering
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
The Most Attractive Pune Call Girls Manchar 8250192130 Will You Miss This Cha...
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
AKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdfAKTU Computer Networks notes --- Unit 3.pdf
AKTU Computer Networks notes --- Unit 3.pdf
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
(INDIRA) Call Girl Aurangabad Call Now 8617697112 Aurangabad Escorts 24x7
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Walvekar Nagar Call Me 7737669865 Budget Friendly No Advance Booking
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 

A Tale of Two Factors

  • 1. © 2019 TWILIO INC. ALL RIGHTS RESERVED. A Tale of Two Factors Kelley Robinson
  • 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 3. © 2019 TWILIO INC. ALL RIGHTS RESERVED. !👋 @kelleyrobinson
  • 4. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🏗 What are we building?
  • 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 💰 💰 💰 A. Your users have something of value connected to an account % & ' Assumptions
  • 6. © 2019 TWILIO INC. ALL RIGHTS RESERVED. % & ' B. A user can only access the value once they are authenticated Assumptions 💰 💰 💰
  • 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 💰 💰 💰 % & ' C. A successful impersonator could also access that value AKA "account takeover" (ATO) Assumptions
  • 8.
  • 9. h a v e i b e e n p w n e d . c o m
  • 10. © 2019 TWILIO INC. ALL RIGHTS RESERVED. • Compromised factors (hacked, guessed, brute forced, phished) • Financial losses 🚩 What can go wrong?
  • 11. © 2019 TWILIO INC. ALL RIGHTS RESERVED. COST O F ACCOU NT TAK EOVE R Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $2.3 $1.5 $3.9$3.9 $5.0 $3.1
  • 12. © 2019 TWILIO INC. ALL RIGHTS RESERVED. COST O F ACCOU NT TAK EOVE R Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1
  • 13. © 2019 TWILIO INC. ALL RIGHTS RESERVED. COST OF ACCOUNT TAKEOVER Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1 ATO FRAUD COST $4.0 BILLION IN 2018
  • 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🔐 What are we going to do?
  • 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE BIOMETRIC POSSESSION MOBILE DEVICE KNOWLEDGE PASSWORD AUTHENTICATION FACTORS
  • 16. SMS One-time Passwords ✅ Easiest user onboarding ✅ Familiar ❌ SS7 attacks ❌ SIM swapping ❌ Web portals © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723
  • 17. SMS One-time Passwords Convenient but insecure © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723
  • 18. Soft Tokens (TOTP) 🔸 Symmetric key crypto ✅ Available offline ✅ Open standard ❌ App install required © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 19. Soft Tokens (TOTP) © 2019 TWILIO INC. ALL RIGHTS RESERVED. Pretty good option but not perfect
  • 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication ✅ Action context ✅ Denial feedback ✅ Asymmetric key crypto ✅ ❌ Low friction 🔸 Proprietary
  • 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication Convenient and secure, but maybe too convenient?
  • 22. WebAuthn ✅ Not easily phishable ✅ Asymmetric key crypto ✅ Open standard ❌ Distribution & cost ❌ New technology © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 23. WebAuthn Secure but not always convenient. Will become more common "soon" © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. SMS 2FA is still better than no 2FA
  • 25. 100% AUTOMATED BOTS 96% BULK PHISHING ATTACKS 76% TARGETED ATTACKS SMS 2FA Google study found SMS 2FA effectively blocks @kelleyrobinson https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
  • 26. 100% AUTOMATED BOTS 99% BULK PHISHING ATTACKS 90% TARGETED ATTACKS PUSH AUTHENTICATION @kelleyrobinson Google study found Push Authentication effectively blocks https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
  • 27. © 2019 TWILIO INC. ALL RIGHTS RESERVED. How to drive adoption of MFA “It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them. ”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
  • 28. © 2019 TWILIO INC. ALL RIGHTS RESERVED. How to drive adoption of MFA 75% 100%2% 40% Users will act on perceived value of their time profile settings onboarding prompt product incentives required
  • 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 30. © 2019 TWILIO INC. ALL RIGHTS RESERVED. FACTORS ARE NOT UNIVERSAL
  • 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. VERY OFFICIAL RI SK ASSE SSMENT Account value Targetlikelihood value includes: Money, Information, Control, Power
  • 32. © 2019 TWILIO INC. ALL RIGHTS RESERVED. “We learned that SMS-based authentication is not nearly as secure as we would hope. ”Reddit Security Incident Disclosure - 2018-08-01
  • 33. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Potential Reddit 2FA Model *might be managed by IT, not dev Employees* Moderators Everyone else Required token based 2FA Required 2FA Optional 2FA
  • 34. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Potential Reddit 2FA Model Employees* Moderators Everyone else Required token based 2FA Required 2FA Optional 2FA Incentives: karma
  • 35. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA
  • 36. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Balance over $250k Balance over $10k Everyone else Potential Banking 2FA Model Required token based 2FA Required 2FA Optional 2FA Incentives: 💰 💰 💰
  • 37. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Package owners Everyone else Potential PyPI 2FA Model Required 2FA Optional 2FA
  • 38. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Additional considerations • Account recovery • Protecting actions other than login • Success metrics
  • 39. 😈 Number of compromised accounts ⬇ © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Did we do a good job? ℹ Support costs relative to losses ⬇ 💰 Losses due to account takeover ⬇ 😃 Customer satisfaction ⬆
  • 40. © 2019 TWILIO INC. ALL RIGHTS RESERVED. “When we exaggerate all dangers we simply train users to ignore us.” Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
  • 41. © 2019 TWILIO INC. ALL RIGHTS RESERVED. THANK YOU! @kelleyrobinson
  • 42. © 2019 TWILIO INC. ALL RIGHTS RESERVED. APPENDIX
  • 43. © 2019 TWILIO INC. ALL RIGHTS RESERVED. TOTP Algorithm RFC 6238
  • 44. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 45. © 2019 TWILIO INC. ALL RIGHTS RESERVED.