Passwords get pwned. SMS 2FA gets compromised. We spend time clicking stop signs just to convince computers we're human. All of this in an attempt to identify a user we will probably never personally know. It's a fascinating challenge and we're up to the task! This talk will walk through new channels for identity management beyond email and SMS. Encrypted messaging apps like WhatsApp broaden our options for delivering tokens and secure communications but lack the seamless user experience of Push Authentication or the offline benefits of TOTP. We'll dive into the tradeoffs for these approaches and help you choose the approach that will best protect you and your customers from signup to account recovery.

1. Authentication Beyond SMS
Kelley Robinson | PasswordsCon 2018

3. Vertex-based
Elliptic Cryptography
on N-way
Bojangle SpacesPasswords
🤷
Simple Complex

4. Kelley Robinson
Authentication Beyond SMS

5. @kelleyrobinson
☎ 🔐👋 %

6. How
common
is this?
@kelleyrobinson

7. 💰$5.1B💰
In 2017
@kelleyrobinson

8. @kelleyrobinson
https://xkcd.com/1121/

9. @kelleyrobinson
⚓ Trust Anchors

10. ⚓ Trust Anchors
@kelleyrobinson
"An established point of trust from which an entity begins
the validation of an authorized process"
NIST Computer Security Resource Center Glossary

11. Physical Identities
• Face
• Voice
• Fingerprints
Contextual Identities
• Email address
• Phone number
• Usernames
Government Identities
• Passport
• Social security card (USA)
• Birth certificate
@kelleyrobinson

12. @kelleyrobinson
Physical Identities
• Trust anchor
• Very trustworthy
• Practically impossible
to change

13. @kelleyrobinson
Government Identities
• Also a trust anchor?
• Usually physical
• Difficult to change

14. @kelleyrobinson
Contextual Identities
• ...also treated like a trust anchor?
• Not 1:1 relationship
• Easier to change

15. Why is identity
verification hard?
• Imperfect systems
• We may never know if we
got it right

16. @kelleyrobinson
🔐 What are we going to do?

17. @kelleyrobinson

18. @kelleyrobinson
No. It's not.
https://www.troyhunt.com/heres-why-insert-thing-here-is-not-a-password-killer/

19. @kelleyrobinson
Multi Factor Authentication
• SMS / Voice
• TOTP
• Push
• Yubikey
• ...and more

20. 📱 SMS 2FA
• Most popular
• Easy to use and getting easier
• Low barrier to entry
@kelleyrobinson

21. 📱 Why is SMS for MFA "Bad"?
• SS7 vulnerabilities
• SIM swapping (social engineering)
• Not E2E encrypted
Link: The Post SS7 Future of 2FA
@kelleyrobinson

22. SMS 2FA is still
better than
no 2FA
@kelleyrobinson

23. “When we exaggerate all dangers we
simply train users to ignore us.
@kelleyrobinson
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
”

24. U2F

25. Push
@kelleyrobinson

26. TOTP
(Time-based One Time Passwords)
@kelleyrobinson

27. WhatsApp
Or other encrypted messaging
@kelleyrobinson

28. @kelleyrobinson

29. “We learned that SMS-based
authentication is not nearly as secure as
we would hope.
”Reddit Security Incident Disclosure - 2018-08-01
@kelleyrobinson

30. @kelleyrobinson
Account value
Likelihoodofbeingatarget
Very Official
Risk Assessment

31. @kelleyrobinson
Money
Information
Control
Power
Account value*
Likelihoodofbeingatarget

32. Employees*
Moderators
Everyone else
Potential Reddit 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA
*might be managed by IT, not dev

33. Balance over $250k
Balance over $10k
Everyone else
Potential Banking 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA

34. Verified accounts
Over 1,000 followers
Everyone else
Potential Twitter 2FA Model
Required token
based 2FA
Required 2FA
Optional 2FA

35. @kelleyrobinson
☎ Known authentication weak point:
Requests via contact center

36. @kelleyrobinson
https://twitter.com/patio11/status/1053205207964823552
☎
Requests
via contact
center

37. @kelleyrobinson
☎
Requests
via contact
center

38. @kelleyrobinson
📈 Measuring effectiveness

39. @kelleyrobinson
ℹ Support costs *relative to* losses ⬇
💰 Losses due to account takeover ⬇
😈 Number of compromised accounts ⬇
😃 Customer satisfaction ⬆

40. @kelleyrobinson
“Security people are full of morbid and
detailed monologues about the pervasive
catastrophes that surround us.
”James Mickens, This World of Ours

41. @kelleyrobinson
Don't blame users.
It's our responsibility to protect them.

42. @kelleyrobinson
THANK YOU!
@kelleyrobinson