Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

2FA in 2020 and Beyond

This talk explores the modern landscape of 2FA. With a data driven analysis of the tradeoffs between different types of factors, we'll dive into a detailed comparison of cryptographic security strength and UX for methods like SMS, Soft Tokens, Push Authentication, and WebAuthn.

  • Login to see the comments

  • Be the first to like this

2FA in 2020 and Beyond

  1. 1. 2FA in 2020 ...and Beyond! @kelleyrobinson © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  2. 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://twitter.com/troyhunt/status/1229550289620889601
  3. 3. h a v e i b e e n p w n e d . c o m
  4. 4. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 2FA in 2020 and Beyond Kelley Robinson
  5. 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. COST OF ACCOUNT TAKEOVER (ATO) Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1 ATO FRAUD COST $4.0 BILLION IN 2018
  6. 6. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTORS
  7. 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTORS
  8. 8. SMS One-time Passwords ✅ Easiest user onboarding ✅ Familiar ❌ SS7 attacks ❌ SIM swapping © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723 @kelleyrobinson
  9. 9. SMS One-time Passwords Convenient but insecure © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723 @kelleyrobinson
  10. 10. Soft Tokens (TOTP) 🔸 Symmetric key crypto ✅ Available offline ✅ Open standard ❌ App install required ❌ Expiration UX © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  11. 11. Soft Tokens (TOTP) © 2019 TWILIO INC. ALL RIGHTS RESERVED. Pretty good option but not perfect
  12. 12. Pre-generated Codes ✅ Easy to use ❌ Storage ❌ Doesn't "feel" secure © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson 341BHOzg 7JbR2ku9 wiqNc7g0 6R20ClN5 B4CxTYs6
  13. 13. Pre-generated Codes Option for backups, less practical for ongoing use © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson 341BHOzg 7JbR2ku9 wiqNc7g0 6R20ClN5 B4CxTYs6
  14. 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication ✅ Action context ✅ Denial feedback ✅ Asymmetric key crypto ✅ ❌ Low friction 🔸 Proprietary @kelleyrobinson
  15. 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication Convenient and secure, but maybe too convenient? @kelleyrobinson
  16. 16. U2F / WebAuthn ✅ Phishing resistant ✅ Asymmetric key crypto ✅ Open standard ❌ Distribution & cost ❌ New technology © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  17. 17. U2F / WebAuthn Secure but not always convenient. Will become more common. © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  18. 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://www.usenix.org/system/files/soups2019-reese.pdf 1. SMS 2. TOTP 3. Pre-generated codes 4. Push 5. U2F Security Keys A USABILITY STUDY OF FIVE TWO-FACTOR AUTH ENTICATION METHODS (2019) @kelleyrobinson
  19. 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. phone, while others said they would write down the codes and keep them in a safe place. For timing data, we measured from the time the participant began the task to the time the backup codes were displayed on the screen. Even though we asked participants how they would store the backup codes, we did not include the time taken to store codes in the setup time for backup codes since the time to store the codes varies widely depending on the storage method chosen. Push. Push notifications require that the phone is signed in to the user’s Google account. The phone provided to par- ticipants was already signed in, based on the assumption that the typical Google user would already be signed in to their Google account on their phone. When a phone is online, has screen locking enabled, and is connected to the Google ac- count, Google sends a push notification that can be approved by unlocking the phone and tapping "Yes" on the notification. U2F Security Key. We provided participants with a Yu- biKey NEO. Google directed participants to insert the security key into an open USB port, and then to tap the gold button on the key. Before the device could be recognized, participants were required to dismiss an alert from the browser asking for permission to see the U2F device’s make and model. Whether or not a user allows or denies this request, the U2F device is registered and optionally given a name. Since this is optional, we excluded the time taken to name the device. TOTP 73.3 84.0 109.6 120.0 U2F 31.8 44.0 57.8 67.8 Figure 4: Setup time for five 2FA methods. 7.2 SEQ Scores 🏅 Pre-generated codes had the fastest setup Caveat - code storage not considered for timing FACTOR SETUP (GOOGLE) https://www.usenix.org/system/files/soups2019-reese.pdf @kelleyrobinson
  20. 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 😬 YubiKey Setup success varied a lot based on platform More people locked themselves out of their computer than successfully set up YubiKey for Windows Logon Authorization Tool 74% requested better documentation N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n FACTOR SETUP (CROSS - PLATFOR M) https://isrl.byu.edu/pubs/sp2018.pdf
  21. 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push 0.029 -0.204 113 (-0.374, -0.020) U2F <0.003 -0.269 118 (-0.429, -0.093) Codes 0.426 -0.076 110 (-0.260, 0.113) understand their background and feelings about online secu- rity. With the consent of each participant, we recorded the audio of each interview. Two coders listened to the record- ings and coded each interview, discussing each response until reaching agreement. Common themes identified from the recordings are discussed in section 5.2. 4.8 Compensation Participants were compensated a maximum of 25 USD after their participation in the study according to a tiered compen- sation structure based on the total number of tasks completed through the banking interface. 5 Two-week Study Results 5.1 Quantitative Results 5.1.1 Timing Data We measured both the time for the password login and the time Figure 2: Time to authenticate for five 2FA methods 🏅 U2F & Push Had the fastest median authentication times Compared to SMS [Duo research]: • Push saves a user 13 minutes annually • U2F saves a user 18.2 minutes annually FACTOR USA BI L I TY (GOOGLE) https://www.usenix.org/system/files/soups2019-reese.pdf Duo 2019 State of the Auth Report
  22. 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🏅 TOTP scored the highest System Usability Scale (SUS) score for a 2nd factor Figure 3: SUS scores for five 2FA methods. FACTOR USA BI L I TY (GOOGLE) @kelleyrobinson https://www.usenix.org/system/files/soups2019-reese.pdf
  23. 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 📉 U2F & Push "Faster authentication does not necessarily mean higher usability" FACTOR USA BI L I TY (GOOGLE) @kelleyrobinson https://www.usenix.org/system/files/soups2019-reese.pdf Figure 3: SUS scores for five 2FA methods.
  24. 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. SMS 2FA is still better than no 2FA
  25. 25. 100% AUTOMATED BOTS 96% BULK PHISHING ATTACKS 76% TARGETED ATTACKS SMS 2FA 2019 Google study found SMS 2FA effectively blocks: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html @kelleyrobinson
  26. 26. 100% AUTOMATED BOTS 99% BULK PHISHING ATTACKS 90% TARGETED ATTACKS PUSH AUTHENTICATION 2019 Google study found Push 2FA effectively blocks: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html @kelleyrobinson
  27. 27. 2FA ADOPTION @kelleyrobinson
  28. 28. 2FA ADOPTION 2019 BYU study found: https://www.usenix.org/system/files/soups2019-reese.pdf BELIEVE EXTRA SECURITY WORTH ADDITIONAL TIME OR INCONVENIENCE WILLING TO USE 2FA DEPENDING ON THE ACCOUNT UNWILLING TO USE 2FA BECAUSE INCONVENIENCE TOO HIGH @kelleyrobinson 29% 36% 13%
  29. 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Perceived value of 2FA “ I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it. ” Research participant | A Usability Study of Five Two-Factor Authentication Methods @kelleyrobinson
  30. 30. 2FA A DOP TION (2017 VS . 2019) © 2019 TWILIO INC. ALL RIGHTS RESERVED. 0% 25% 50% 75% 100% Heard of 2FA Used 2FA 53% 77% 28% 44% Source: Duo 2019 State of the Auth Report 2017 2017 2019 2019 @kelleyrobinson
  31. 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. How to drive adoption of MFA 100%0% profile settings login prompt product incentives required @kelleyrobinson really annoying & persistent login prompt
  32. 32. 2FA GOOGLE SEARCH I NTER EST OVER TIME (US) © 2019 TWILIO INC. ALL RIGHTS RESERVED. 2014 2015 2016 2017 2018 2019 2020 @kelleyrobinson Source: Google Trends
  33. 33. 2014 2015 2016 2017 2018 2019 2020 2FA GOOGLE SEARCH I NTER EST OVER TIME (US) © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Google Trends TechCrunch: Epic Games 2FA @kelleyrobinson
  34. 34. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  35. 35. MEASURING SUCCESS
  36. 36. 😈 Number of compromised accounts ⬇ © 2019 TWILIO INC. ALL RIGHTS RESERVED. ℹ Support costs relative to losses ⬇ 💰 Losses due to account takeover ⬇ 😃 User satisfaction ⬆ MEASURING SUCCESS
  37. 37. Delight your most security conscious users.
 Provide options for the rest. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  38. 38. © 2019 TWILIO INC. ALL RIGHTS RESERVED. “When we exaggerate all dangers we simply train users to ignore us.” Cormac Herley, The Rational Rejection of Security Advice by Users (2009) @kelleyrobinson
  39. 39. @kelleyrobinson THANK YOU
  40. 40. © 2019 TWILIO INC. ALL RIGHTS RESERVED. References A usability study of five two-factor authentication methods A Tale of Two Studies: The Best and Worst of YubiKey Usability Javelin Strategy & Research, 2019 Duo 2019 State of the Auth Report New research: How effective is basic account hygiene at preventing hijacking Google Trends: 2FA (US) TechCrunch: Epic Games 2FA

×