Weitere ähnliche Inhalte Mehr von Kelley Robinson (20) Kürzlich hochgeladen (20) A Tale of Two Factors1. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
A Tale of Two Factors
Kelley Robinson
4. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
🏗 What are we building?
5. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
💰
💰
💰
A. Your users have
something of value
connected to an
account
%
&
'
Assumptions
6. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
%
&
'
B. A user can only
access the value
once they are
authenticated
Assumptions
💰
💰
💰
7. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
💰
💰
💰
%
&
'
C. A successful
impersonator could
also access that value
AKA "account takeover" (ATO)
Assumptions
9. h a v e i b e e n p w n e d . c o m
10. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
• Compromised factors
(hacked, guessed, brute forced, phished)
• Financial losses
🚩 What can go wrong?
11. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
COST O F ACCOU NT TAK EOVE R
Source: Javelin Strategy & Research, 2019
U.S.Dollars(Billions)
$1B
$2B
$3B
$4B
$5B
$6B
2011
2012
2013
2014
2015
2016
2017
2018
$2.3
$1.5
$3.9$3.9
$5.0
$3.1
12. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
COST O F ACCOU NT TAK EOVE R
Source: Javelin Strategy & Research, 2019
U.S.Dollars(Billions)
$1B
$2B
$3B
$4B
$5B
$6B
2011
2012
2013
2014
2015
2016
2017
2018
$4.0
$5.1
$2.3
$1.5
$3.9$3.9
$5.0
$3.1
13. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
COST OF ACCOUNT TAKEOVER
Source: Javelin Strategy & Research, 2019
U.S.Dollars(Billions)
$1B
$2B
$3B
$4B
$5B
$6B
2011
2012
2013
2014
2015
2016
2017
2018
$4.0
$5.1
$2.3
$1.5
$3.9$3.9
$5.0
$3.1
ATO FRAUD COST
$4.0 BILLION IN 2018
14. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
🔐 What are we going to do?
15. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
BIOMETRIC
POSSESSION
MOBILE DEVICE
KNOWLEDGE
PASSWORD
AUTHENTICATION FACTORS
16. SMS One-time Passwords
✅ Easiest user onboarding
✅ Familiar
❌ SS7 attacks
❌ SIM swapping
❌ Web portals
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Your Owl Bank
verification code is: 7723
18. Soft Tokens (TOTP)
🔸 Symmetric key crypto
✅ Available offline
✅ Open standard
❌ App install required
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
20. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Push Authentication
✅ Action context
✅ Denial feedback
✅ Asymmetric key crypto
✅ ❌ Low friction
🔸 Proprietary
21. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Push Authentication
Convenient and secure, but
maybe too convenient?
22. WebAuthn
✅ Not easily phishable
✅ Asymmetric key crypto
✅ Open standard
❌ Distribution & cost
❌ New technology
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
23. WebAuthn
Secure but not always
convenient. Will become
more common "soon"
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
24. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
SMS 2FA is still
better than no 2FA
27. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
How to drive adoption of MFA
“It is mainly time, and not money, that
users risk losing when attacked. It is
also time that security advice asks of
them.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
28. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
How to drive adoption of MFA
75% 100%2% 40%
Users will act on perceived value of their time
profile
settings
onboarding
prompt
product
incentives
required
30. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
FACTORS ARE NOT UNIVERSAL
31. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
VERY OFFICIAL RI SK ASSE SSMENT
Account value
Targetlikelihood
value includes: Money, Information, Control, Power
32. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
“We learned that SMS-based
authentication is not nearly as secure as
we would hope.
”Reddit Security Incident Disclosure - 2018-08-01
33. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Potential Reddit 2FA Model
*might be managed by IT, not dev
Employees*
Moderators
Everyone else
Required token
based 2FA
Required 2FA
Optional 2FA
34. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Potential Reddit 2FA Model
Employees*
Moderators
Everyone else
Required token
based 2FA
Required 2FA
Optional 2FA
Incentives: karma
35. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Balance over $250k
Balance over $10k
Everyone else
Potential Banking 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA
36. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Balance over $250k
Balance over $10k
Everyone else
Potential Banking 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA
Incentives: 💰 💰 💰
37. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Package owners
Everyone else
Potential PyPI 2FA Model
Required 2FA
Optional 2FA
38. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Additional considerations
• Account recovery
• Protecting actions other than login
• Success metrics
39. 😈 Number of compromised accounts ⬇
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
✅ Did we do a good job?
ℹ Support costs relative to losses ⬇
💰 Losses due to account takeover ⬇
😃 Customer satisfaction ⬆
40. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
“When we exaggerate all
dangers we simply train
users to ignore us.”
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
41. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
THANK YOU!
@kelleyrobinson
43. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
TOTP Algorithm
RFC 6238