2FA in 2020 and Beyond

2FA in 2020
...and Beyond!
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.

h a v e i b e e n p w n e d . c o m

2FA in 2020 and Beyond
Kelley Robinson

krobinson@twilio.com
👋👩💻🔐
Kelley Robinson
@kelleyrobinson

U.S.Dollars(Billions)
$1B
$2B
$4B
$5B
$6B
$7B
2011
2012
2013
2014
2015
2016
2017
2018
2019
$6.8
$4.0
$5.1
$2.3
$1.5
$3.9$3.9
$5.0
$3.1
ATO FRAUD COST
$6.8 BILLION IN 2019
COST OF ACCOUNT TAKEOVER (ATO)
Source: Javelin Strategy & Research, 2020

INHERENCE
i.e. face ID
POSSESSION
i.e. mobile phone
KNOWLEDGE
i.e. password
AUTHENTICATION FACTORS

SMS One-time Passwords
✅ Easiest user onboarding
✅ Familiar
❌ SS7 attacks
❌ SIM swapping
Your Owl Bank
verification code is: 7723
@kelleyrobinson

SMS One-time Passwords
Convenient but insecure
Your Owl Bank
verification code is: 7723
@kelleyrobinson

Soft Tokens (TOTP)
🔸 Symmetric key crypto
✅ Available offline
✅ Open standard
❌ App install required
❌ Expiration UX

Soft Tokens (TOTP)
Pretty good option but
not perfect

Pre-generated Codes
✅ Easy to use
❌ Storage
❌ Doesn't "feel" secure
@kelleyrobinson
341BHOzg
7JbR2ku9
wiqNc7g0
6R20ClN5
B4CxTYs6

Pre-generated Codes
Option for backups, less
practical for ongoing use
@kelleyrobinson
341BHOzg
7JbR2ku9
wiqNc7g0
6R20ClN5
B4CxTYs6

Push Authentication
✅ Action context
✅ Denial feedback
✅ Asymmetric key crypto
✅ ❌ Low friction
🔸 Proprietary
@kelleyrobinson

Push Authentication
Convenient and secure, but
maybe too convenient?
@kelleyrobinson

U2F / WebAuthn
✅ Phishing resistant
✅ Asymmetric key crypto
✅ Open standard
❌ Distribution & cost
❌ New technology
@kelleyrobinson

U2F / WebAuthn
Secure but not always
convenient. Will become
more common.
@kelleyrobinson

What are you optimizing for?
Friction for
set up
ONBOARDING
USER
EXPERIENCE
ACCOUNT
RECOVERY
Friction for
replacing lost
factor
Friction for
ongoing use
2FA LI FECYCLE
@kelleyrobinson

https://www.usenix.org/system/files/soups2019-reese.pdf
1. SMS
2. TOTP
3. Pre-generated codes
4. Push
5. U2F Security Keys
A USABILITY STUDY OF FI VE
TWO-FACTOR AUTHENTI CATI ON
METHODS (201 9)
@kelleyrobinson

phone, while others said they would write down the codes and
keep them in a safe place. For timing data, we measured from
the time the participant began the task to the time the backup
codes were displayed on the screen. Even though we asked
participants how they would store the backup codes, we did
not include the time taken to store codes in the setup time for
backup codes since the time to store the codes varies widely
depending on the storage method chosen.
Push. Push notifications require that the phone is signed
in to the user’s Google account. The phone provided to par-
ticipants was already signed in, based on the assumption that
the typical Google user would already be signed in to their
Google account on their phone. When a phone is online, has
screen locking enabled, and is connected to the Google ac-
count, Google sends a push notification that can be approved
by unlocking the phone and tapping "Yes" on the notification.
U2F Security Key. We provided participants with a Yu-
biKey NEO. Google directed participants to insert the security
key into an open USB port, and then to tap the gold button on
the key. Before the device could be recognized, participants
were required to dismiss an alert from the browser asking for
permission to see the U2F device’s make and model. Whether
or not a user allows or denies this request, the U2F device is
registered and optionally given a name. Since this is optional,
we excluded the time taken to name the device.
TOTP 73.3 84.0 109.6 120.0
U2F 31.8 44.0 57.8 67.8
Figure 4: Setup time for five 2FA methods.
7.2 SEQ Scores
🏅 Pre-generated codes
had the fastest setup
Caveat - code storage not considered
for timing
FACTOR SE TUP (GO OG LE)
@kelleyrobinson

😬 YubiKey
Setup success varied a lot based on platform
More people locked themselves out of their
computer than successfully set up YubiKey for
Windows Logon Authorization Tool
74% requested better documentation
N=31 %
Google
Success 26 83%
Correctly identiﬁed completion 22 70%
Failure 5 16%
Facebook
Success 10 32%
Correctly identiﬁed completion 6 19%
Failure 21 67%
Registered YubiKey without enabling 2FA 12 38%
Windows 10
Success 12 38%
Set up the Windows Logon Authorization Tool 5 16%
Set up YubiKey for Windows Hello 7 22%
Failure 19 61%
Failed to set up the Windows Logon Authorization Tool 9 29%
Failed to set up YubiKey for Windows Hello 5 16%
Locked out of the computer 6 19%
TABLE I
LABORATORY STUDY SUCCESS RATES
F
k
th
t
l
r
a
t
p
t
n
FACTOR SE TUP (CROSS- PLATFO RM)
https://isrl.byu.edu/pubs/sp2018.pdf

Push 0.029 -0.204 113 (-0.374, -0.020)
U2F <0.003 -0.269 118 (-0.429, -0.093)
Codes 0.426 -0.076 110 (-0.260, 0.113)
understand their background and feelings about online secu-
rity. With the consent of each participant, we recorded the
audio of each interview. Two coders listened to the record-
ings and coded each interview, discussing each response until
reaching agreement. Common themes identiﬁed from the
recordings are discussed in section 5.2.
4.8 Compensation
Participants were compensated a maximum of 25 USD after
their participation in the study according to a tiered compen-
sation structure based on the total number of tasks completed
through the banking interface.
5 Two-week Study Results
5.1 Quantitative Results
5.1.1 Timing Data
We measured both the time for the password login and the time
Figure 2: Time to authenticate for ﬁve 2FA methods
🏅 U2F & Push
Had the fastest median authentication times
Compared to SMS [Duo research]:
• Push saves a user 13 minutes annually
• U2F saves a user 18.2 minutes annually
FACTOR USA BI LI TY (GO OG LE)
Duo 2019 State of the Auth Report

🏅 TOTP
scored the highest System Usability
Scale (SUS) score for a 2nd factor
Figure 3: SUS scores for ﬁve 2FA methods.
@kelleyrobinson

📉 U2F & Push
"Faster authentication does not
necessarily mean higher usability"
@kelleyrobinson
https://www.usenix.org/system/files/soups2019-reese.pdf Figure 3: SUS scores for ﬁve 2FA methods.

SMS 2FA is still
better than no 2FA

100%
AUTOMATED
BOTS
96%
BULK PHISHING
ATTACKS
76%
TARGETED
ATTACKS
SMS 2FA
2019 Google study found SMS 2FA effectively blocks:
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
@kelleyrobinson

100%
AUTOMATED
BOTS
99%
BULK PHISHING
ATTACKS
90%
TARGETED
ATTACKS
PUSH AUTHENTICATION
2019 Google study found Push 2FA effectively blocks:
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
@kelleyrobinson

"New technology is available to help
mitigate risk and improve the consumer
experience, yet often it goes unused or is
unavailable to consumers."
Javelin Strategy 2020 Identity Fraud Study

2FA ADOPTION
2019 BYU study found:
BELIEVE EXTRA SECURITY
WORTH ADDITIONAL TIME
OR INCONVENIENCE
WILLING TO USE 2FA
DEPENDING ON THE
ACCOUNT
UNWILLING TO USE 2FA
BECAUSE INCONVENIENCE
TOO HIGH
@kelleyrobinson
29% 36% 13%

Perceived value of 2FA
“I just don’t think I have anything that
people would want to take from me, so
I think that’s why I haven’t been very
worried about it.
”Research participant | A Usability Study of Five Two-Factor Authentication Methods
@kelleyrobinson

2FA A DOPTION (2017 VS. 201 9)
0%
25%
50%
75%
100%
Heard of 2FA Used 2FA
53%
77%
28%
44%
Source: Duo 2019 State of the Auth Report
2017
2017
2019
2019
@kelleyrobinson

How to drive adoption of MFA
100%0%
profile
settings
login
prompt
product
incentives
required
@kelleyrobinson
really annoying
& persistent
login prompt

2FA GOOGLE SEARCH INTE REST OVER TI ME (US)
2014 2015 2016 2017 2018 2019 2020
@kelleyrobinson
Source: Google Trends

2014 2015 2016 2017 2018 2019 2020
2FA GOOGLE SEARCH INTE REST OVER TI ME (US)
Source: Google Trends
TechCrunch: Epic Games 2FA
@kelleyrobinson

😈 Number of compromised accounts ⬇
ℹ Support costs relative to losses ⬇
💰 Losses due to account takeover ⬇
😃 User satisfaction ⬆
MEASURING SUCCESS

Delight your most security conscious users.
Provide options for the rest.

“When we exaggerate all
dangers we simply train
users to ignore us.”
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
@kelleyrobinson

References
A usability study of five two-factor authentication methods
A Tale of Two Studies: The Best and Worst of YubiKey Usability
Javelin Strategy & Research, 2019
Javelin Strategy 2020 Identity Fraud Study
Duo 2019 State of the Auth Report
New research: How effective is basic account hygiene at preventing hijacking
Google Trends: 2FA (US)
TechCrunch: Epic Games 2FA

2FA in 2020 and Beyond

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to 2FA in 2020 and Beyond

Similar to 2FA in 2020 and Beyond (20)

More from Kelley Robinson

More from Kelley Robinson (20)

Recently uploaded

Recently uploaded (20)

2FA in 2020 and Beyond