1. Designing customer
account recovery in
a 2FA world
👋 Kelley Robinson | Twilio
" NorthSec 2020
© 2019 TWILIO INC. ALL RIGHTS RESERVED.

2. © 2019 TWILIO INC. ALL RIGHTS RESERVED.

3. Designing customer
account recovery in
a 2FA world
© 2019 TWILIO INC. ALL RIGHTS RESERVED.

4. © 2020 TWILIO INC. ALL RIGHTS RESERVED.
👋#🔐
Kelley Robinson
@kelleyrobinson

5. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
LIFE. HAPPENS.

6. Average cost of a support call for account recovery:
$40 - $70/call
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018

7. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
i.e. face ID
POSSESSION
i.e. mobile phone
KNOWLEDGE
i.e. password
AUTHENTICATION FACTOR TRADEOFFS

8. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
KNOWLEDGE
Examples
Passwords, security questions, account details
Pros
Common, easy to implement, easy to onboard
Cons
Answers can be leaked or researched,
humans are forgetful

9. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
Examples
Fingerprint, voice recognition, keystroke analysis
Pros
Can't lose or forget, easy to use
Cons
Can't reset or replace

10. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
POSSESSION
Examples
Mobile phone, backup codes, hardware tokens
Pros
Can use common devices, some are not phishable
Cons
Humans lose and replace things,
harder to set up

11. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
🤔 Backup codes
Example backup codes, real messaging
https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829

12. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
🤔 Backup codes Example backup codes, real messaging
Pros
Not reused like passwords, usually
hard to brute force
Cons
Hard to store
Debatable solution
Email users backup codes?
https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829

13. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
RECOVERY EXAMPLES

14. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://us.etrade.com/security-center/securityid
<redacted>
• Uses Symantec Security ID
• Requires that you contact customer
support to update the 2FA when you
get a new phone
• Limited authentication on the phone

15. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://twil.io/cc-auth

16. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Authy
• Two factors required for account recovery
• 1-4 day waiting period
• Adaptive auth with stronger requirements
depending on the lost factor

17. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
GitHub
• Recovery tokens at setup
• Fallback options (SMS, Facebook
"recover accounts elsewhere")
• Access tokens, SSH Keys
GitHub Support: Recovering your account if you lose your 2FA credentials
Recover accounts elsewhere
• Anecdotally: fork the account then after a 6 month
waiting period, you can reclaim your dormant username

18. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Facebook
• Uses existing "friends" feature for
trusted contact recovery
Facebook Trusted Contacts

19. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
RECOMMENDATIONS

20. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
✅ Do
Require users to register
more factors than they need
to log in

21. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Design your recovery process
based on the value your
business is protecting
✅ Do

22. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
"It is mainly time, and not money,
that users risk losing when
attacked. It is also time that
security advice asks of them."
Cormac Herley | The Rational Rejection of Security Advice by Users (2016)

23. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Be intentional about if and
who you allow to reset 2FA
Add guardrails for agents
😬
✅ Do

24. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Remind users about
recovery options
twitter.com
✅ Do

25. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Remind users about 2FA before
common phone change times
i.e. holidays, new iPhone releases
✅ Do

26. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Force users to complete one
successful 2FA before
enabling 2FA
N=31 %
Google
Success 26 83%
Correctly identified completion 22 70%
Failure 5 16%
Facebook
Success 10 32%
Correctly identified completion 6 19%
Failure 21 67%
Registered YubiKey without enabling 2FA 12 38%
Windows 10
Success 12 38%
Set up the Windows Logon Authorization Tool 5 16%
Set up YubiKey for Windows Hello 7 22%
Failure 19 61%
Failed to set up the Windows Logon Authorization Tool 9 29%
Failed to set up YubiKey for Windows Hello 5 16%
Locked out of the computer 6 19%
TABLE I
LABORATORY STUDY SUCCESS RATES
F
k
th
t
l
r
a
t
p
t
n
https://isrl.byu.edu/pubs/sp2018.pdf
✅ Do

27. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
✅ Do
Add waiting periods for
sensitive recoveries

28. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
Github Account Recovery

29. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://exchange.gemini.com/signin/forgot

30. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
🤷 Debate!
• Automatically email backup codes
• Trusted contact authorization
• Linked site authorization (i.e. Keybase)
• SMS fallback
https://book.keybase.io/docs/server
• BLOCKCHAIN???

31. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
❌ Don't
Only use one factor for
account recovery

32. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
❌ Don't
Deactivate 2FA on
account recovery

33. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
❌ Don't
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
Give up on 2FA

34. ℹ Support costs relative to losses ⬇
😈 Number of compromised accounts ⬇
© 2020 TWILIO INC. ALL RIGHTS RESERVED.
💰 Losses due to account takeover ⬇
😃 User satisfaction ⬆
MEASURING SUCCESS

35. THANK YOU
@kelleyrobinson