Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task!
This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.
10. â Trust Anchors
@kelleyrobinson
"An established point of trust from which an entity begins
the validation of an authorized process"
NIST Computer Security Resource Center Glossary
11. Physical Identities
⢠Face
⢠Voice
⢠Fingerprints
Contextual Identities
⢠Email address
⢠Phone number
⢠Usernames
Government Identities
⢠Passport
⢠Social security card (USA)
⢠Birth certificate
@kelleyrobinson
20. đą SMS 2FA
⢠Most popular
⢠Easy to use and getting easier
⢠Low barrier to entry
@kelleyrobinson
21. đą Why is SMS for MFA "Bad"?
⢠SS7 vulnerabilities
⢠SIM swapping (social engineering)
⢠Not E2E encrypted
Link: The Post SS7 Future of 2FA
@kelleyrobinson
22. SMS 2FA is still
better than
no 2FA
@kelleyrobinson
23. âWhen we exaggerate all dangers we
simply train users to ignore us.
@kelleyrobinson
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
â
29. âWe learned that SMS-based
authentication is not nearly as secure as
we would hope.
âReddit Security Incident Disclosure - 2018-08-01
@kelleyrobinson
39. @kelleyrobinson
âš Support costs *relative to* losses âŹ
đ° Losses due to account takeover âŹ
đ Number of compromised accounts âŹ
đ Customer satisfaction âŹ
40. @kelleyrobinson
âSecurity people are full of morbid and
detailed monologues about the pervasive
catastrophes that surround us.
âJames Mickens, This World of Ours