2FA in 2020 and Beyond

3. h a v e i b e e n p w n e d . c o m

5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. COST OF ACCOUNT TAKEOVER (ATO) Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1 ATO FRAUD COST $4.0 BILLION IN 2018

18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://www.usenix.org/system/files/soups2019-reese.pdf 1. SMS 2. TOTP 3. Pre-generated codes 4. Push 5. U2F Security Keys A USABILITY STUDY OF FIVE TWO-FACTOR AUTH ENTICATION METHODS (2019) @kelleyrobinson

19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. phone, while others said they would write down the codes and keep them in a safe place. For timing data, we measured from the time the participant began the task to the time the backup codes were displayed on the screen. Even though we asked participants how they would store the backup codes, we did not include the time taken to store codes in the setup time for backup codes since the time to store the codes varies widely depending on the storage method chosen. Push. Push notifications require that the phone is signed in to the user’s Google account. The phone provided to participants was already signed in, based on the assumption that the typical Google user would already be signed in to their Google account on their phone. When a phone is online, has screen locking enabled, and is connected to the Google account, Google sends a push notification that can be approved by unlocking the phone and tapping "Yes" on the notification. U2F Security Key. We provided participants with a Yu- biKey NEO. Google directed participants to insert the security key into an open USB port, and then to tap the gold button on the key. Before the device could be recognized, participants were required to dismiss an alert from the browser asking for permission to see the U2F device’s make and model. Whether or not a user allows or denies this request, the U2F device is registered and optionally given a name. Since this is optional, we excluded the time taken to name the device. TOTP 73.3 84.0 109.6 120.0 U2F 31.8 44.0 57.8 67.8 Figure 4: Setup time for five 2FA methods. 7.2 SEQ Scores 🏅 Pre-generated codes had the fastest setup Caveat - code storage not considered for timing FACTOR SETUP (GOOGLE) https://www.usenix.org/system/files/soups2019-reese.pdf @kelleyrobinson

20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 😬 YubiKey Setup success varied a lot based on platform More people locked themselves out of their computer than successfully set up YubiKey for Windows Logon Authorization Tool 74% requested better documentation N=31 % Google Success 26 83% Correctly identiﬁed completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identiﬁed completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n FACTOR SETUP (CROSS - PLATFOR M) https://isrl.byu.edu/pubs/sp2018.pdf

21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push 0.029 -0.204 113 (-0.374, -0.020) U2F <0.003 -0.269 118 (-0.429, -0.093) Codes 0.426 -0.076 110 (-0.260, 0.113) understand their background and feelings about online security. With the consent of each participant, we recorded the audio of each interview. Two coders listened to the recordings and coded each interview, discussing each response until reaching agreement. Common themes identiﬁed from the recordings are discussed in section 5.2. 4.8 Compensation Participants were compensated a maximum of 25 USD after their participation in the study according to a tiered compensation structure based on the total number of tasks completed through the banking interface. 5 Two-week Study Results 5.1 Quantitative Results 5.1.1 Timing Data We measured both the time for the password login and the time Figure 2: Time to authenticate for ﬁve 2FA methods 🏅 U2F & Push Had the fastest median authentication times Compared to SMS [Duo research]: • Push saves a user 13 minutes annually • U2F saves a user 18.2 minutes annually FACTOR USA BI L I TY (GOOGLE) https://www.usenix.org/system/files/soups2019-reese.pdf Duo 2019 State of the Auth Report

22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🏅 TOTP scored the highest System Usability Scale (SUS) score for a 2nd factor Figure 3: SUS scores for ﬁve 2FA methods. FACTOR USA BI L I TY (GOOGLE) @kelleyrobinson https://www.usenix.org/system/files/soups2019-reese.pdf

23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 📉 U2F & Push "Faster authentication does not necessarily mean higher usability" FACTOR USA BI L I TY (GOOGLE) @kelleyrobinson https://www.usenix.org/system/files/soups2019-reese.pdf Figure 3: SUS scores for ﬁve 2FA methods.

25. 100% AUTOMATED BOTS 96% BULK PHISHING ATTACKS 76% TARGETED ATTACKS SMS 2FA 2019 Google study found SMS 2FA effectively blocks: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html @kelleyrobinson

26. 100% AUTOMATED BOTS 99% BULK PHISHING ATTACKS 90% TARGETED ATTACKS PUSH AUTHENTICATION 2019 Google study found Push 2FA effectively blocks: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html @kelleyrobinson

27. 2FA ADOPTION @kelleyrobinson

28. 2FA ADOPTION 2019 BYU study found: https://www.usenix.org/system/files/soups2019-reese.pdf BELIEVE EXTRA SECURITY WORTH ADDITIONAL TIME OR INCONVENIENCE WILLING TO USE 2FA DEPENDING ON THE ACCOUNT UNWILLING TO USE 2FA BECAUSE INCONVENIENCE TOO HIGH @kelleyrobinson 29% 36% 13%

29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Perceived value of 2FA “ I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it. ” Research participant | A Usability Study of Five Two-Factor Authentication Methods @kelleyrobinson

30. 2FA A DOP TION (2017 VS . 2019) © 2019 TWILIO INC. ALL RIGHTS RESERVED. 0% 25% 50% 75% 100% Heard of 2FA Used 2FA 53% 77% 28% 44% Source: Duo 2019 State of the Auth Report 2017 2017 2019 2019 @kelleyrobinson

35. MEASURING SUCCESS

38. © 2019 TWILIO INC. ALL RIGHTS RESERVED. “When we exaggerate all dangers we simply train users to ignore us.” Cormac Herley, The Rational Rejection of Security Advice by Users (2009) @kelleyrobinson

39. @kelleyrobinson THANK YOU

40. © 2019 TWILIO INC. ALL RIGHTS RESERVED. References A usability study of five two-factor authentication methods A Tale of Two Studies: The Best and Worst of YubiKey Usability Javelin Strategy & Research, 2019 Duo 2019 State of the Auth Report New research: How effective is basic account hygiene at preventing hijacking Google Trends: 2FA (US) TechCrunch: Epic Games 2FA