Designing customer account recovery in a 2FA world

Designing customer
account recovery in
a 2FA world
👋 Kelley Robinson | Twilio
" NorthSec 2020
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Designing customer
account recovery in
a 2FA world
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2020 TWILIO INC. ALL RIGHTS RESERVED.
👋#🔐
Kelley Robinson
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
LIFE. HAPPENS.
Average cost of a support call for account recovery:

$40 - $70/call
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
i.e. face ID
POSSESSION
i.e. mobile phone
KNOWLEDGE
i.e. password
AUTHENTICATION FACTOR TRADEOFFS
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
KNOWLEDGE
Examples
Passwords, security questions, account details
Pros
Common, easy to implement, easy to onboard
Cons
Answers can be leaked or researched,
humans are forgetful
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
Examples
Fingerprint, voice recognition, keystroke analysis
Pros
Can't lose or forget, easy to use
Cons
Can't reset or replace
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
POSSESSION
Examples
Mobile phone, backup codes, hardware tokens
Pros
Can use common devices, some are not phishable
Cons
Humans lose and replace things,
harder to set up
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
🤔 Backup codes
Example backup codes, real messaging
https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
🤔 Backup codes Example backup codes, real messaging
Pros
Not reused like passwords, usually
hard to brute force
Cons
Hard to store
Debatable solution
Email users backup codes?
https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
RECOVERY EXAMPLES
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://us.etrade.com/security-center/securityid
<redacted>
• Uses Symantec Security ID
• Requires that you contact customer
support to update the 2FA when you
get a new phone
• Limited authentication on the phone
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://twil.io/cc-auth
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Authy
• Two factors required for account recovery
• 1-4 day waiting period
• Adaptive auth with stronger requirements
depending on the lost factor
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
GitHub
• Recovery tokens at setup
• Fallback options (SMS, Facebook
"recover accounts elsewhere")
• Access tokens, SSH Keys
GitHub Support: Recovering your account if you lose your 2FA credentials
Recover accounts elsewhere
• Anecdotally: fork the account then after a 6 month
waiting period, you can reclaim your dormant username
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Facebook
• Uses existing "friends" feature for
trusted contact recovery
Facebook Trusted Contacts
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
RECOMMENDATIONS
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
✅ Do
Require users to register
more factors than they need
to log in
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Design your recovery process
based on the value your
business is protecting
✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
"It is mainly time, and not money,
that users risk losing when
attacked. It is also time that
security advice asks of them."
Cormac Herley | The Rational Rejection of Security Advice by Users (2016)
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Be intentional about if and
who you allow to reset 2FA
Add guardrails for agents
😬
✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Remind users about
recovery options
twitter.com
✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Remind users about 2FA before
common phone change times
i.e. holidays, new iPhone releases
✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Force users to complete one
successful 2FA before
enabling 2FA
N=31 %
Google
Success 26 83%
Correctly identified completion 22 70%
Failure 5 16%
Facebook
Success 10 32%
Correctly identified completion 6 19%
Failure 21 67%
Registered YubiKey without enabling 2FA 12 38%
Windows 10
Success 12 38%
Set up the Windows Logon Authorization Tool 5 16%
Set up YubiKey for Windows Hello 7 22%
Failure 19 61%
Failed to set up the Windows Logon Authorization Tool 9 29%
Failed to set up YubiKey for Windows Hello 5 16%
Locked out of the computer 6 19%
TABLE I
LABORATORY STUDY SUCCESS RATES
F
k
th
t
l
r
a
t
p
t
n
https://isrl.byu.edu/pubs/sp2018.pdf
✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
✅ Do
Add waiting periods for
sensitive recoveries
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Github Account Recovery
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://exchange.gemini.com/signin/forgot
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
🤷 Debate!
• Automatically email backup codes
• Trusted contact authorization
• Linked site authorization (i.e. Keybase)
• SMS fallback
https://book.keybase.io/docs/server
• BLOCKCHAIN???
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
❌ Don't
Only use one factor for
account recovery
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
❌ Don't
Deactivate 2FA on
account recovery
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
❌ Don't
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
Give up on 2FA
ℹ Support costs relative to losses ⬇
😈 Number of compromised accounts ⬇
© 2020 TWILIO INC. ALL RIGHTS RESERVED.
💰 Losses due to account takeover ⬇
😃 User satisfaction ⬆
MEASURING SUCCESS
THANK YOU
@kelleyrobinson
1 of 35

Recommended

Auth on the web: better authentication by
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authenticationKelley Robinson
138 views40 slides
2FA Best Practices by
2FA Best Practices2FA Best Practices
2FA Best PracticesKelley Robinson
381 views33 slides
Introduction to SHAKEN/STIR by
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIRKelley Robinson
104 views40 slides
PSD2, SCA, WTF? by
PSD2, SCA, WTF?PSD2, SCA, WTF?
PSD2, SCA, WTF?Kelley Robinson
228 views31 slides
Identiverse 2020 - Account Recovery with 2FA by
Identiverse 2020 - Account Recovery with 2FAIdentiverse 2020 - Account Recovery with 2FA
Identiverse 2020 - Account Recovery with 2FAKelley Robinson
494 views32 slides
WebAuthn by
WebAuthnWebAuthn
WebAuthnKelley Robinson
339 views41 slides

More Related Content

What's hot

Passwordless auth by
Passwordless authPasswordless auth
Passwordless authLesha Bhansali
1K views15 slides
Authentication and session v4 by
Authentication and session v4Authentication and session v4
Authentication and session v4skimil
839 views40 slides
HYPR: The Leading Provider of True Passwordless Security® by
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®HYPR
176 views18 slides
Mobile Security: The 5 Questions Modern Organizations Are Asking by
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are AskingLookout
9.1K views16 slides
How Aligned Are IT, Employees and Security Practices in Today's Mobile World? by
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?Ping Identity
3.2K views1 slide
Managing Mobile Business Insecurities by
Managing Mobile Business InsecuritiesManaging Mobile Business Insecurities
Managing Mobile Business InsecuritiesPing Identity
6.3K views1 slide

What's hot(20)

Authentication and session v4 by skimil
Authentication and session v4Authentication and session v4
Authentication and session v4
skimil839 views
HYPR: The Leading Provider of True Passwordless Security® by HYPR
HYPR: The Leading Provider of True Passwordless Security®HYPR: The Leading Provider of True Passwordless Security®
HYPR: The Leading Provider of True Passwordless Security®
HYPR176 views
Mobile Security: The 5 Questions Modern Organizations Are Asking by Lookout
Mobile Security: The 5 Questions Modern Organizations Are AskingMobile Security: The 5 Questions Modern Organizations Are Asking
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout9.1K views
How Aligned Are IT, Employees and Security Practices in Today's Mobile World? by Ping Identity
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
Ping Identity3.2K views
Managing Mobile Business Insecurities by Ping Identity
Managing Mobile Business InsecuritiesManaging Mobile Business Insecurities
Managing Mobile Business Insecurities
Ping Identity6.3K views
5 Ways to Protect your Mobile Security by Lookout
5 Ways to Protect your Mobile Security5 Ways to Protect your Mobile Security
5 Ways to Protect your Mobile Security
Lookout11K views
Mobile Security - 2015 Wrap-up and 2016 Predictions by Skycure
Mobile Security - 2015 Wrap-up and 2016 PredictionsMobile Security - 2015 Wrap-up and 2016 Predictions
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure710 views
2015 Mobile Security Trends: Are You Ready? by IBM Security
2015 Mobile Security Trends: Are You Ready?2015 Mobile Security Trends: Are You Ready?
2015 Mobile Security Trends: Are You Ready?
IBM Security8.6K views
Android Q & iOS 13 Privacy Enhancements by NowSecure
Android Q & iOS 13 Privacy EnhancementsAndroid Q & iOS 13 Privacy Enhancements
Android Q & iOS 13 Privacy Enhancements
NowSecure1K views
2015 Cybersecurity Predictions by Lookout
2015 Cybersecurity Predictions2015 Cybersecurity Predictions
2015 Cybersecurity Predictions
Lookout29K views
Top 2016 Mobile Security Threats and your Employees by Neil Kemp
Top 2016 Mobile Security Threats and your EmployeesTop 2016 Mobile Security Threats and your Employees
Top 2016 Mobile Security Threats and your Employees
Neil Kemp1.1K views
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment by IBM Security
The ROI on Intrusion Prevention: Protecting Both Your Network & InvestmentThe ROI on Intrusion Prevention: Protecting Both Your Network & Investment
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security2.1K views
Mobile Security at the World Cup by Lookout
Mobile Security at the World CupMobile Security at the World Cup
Mobile Security at the World Cup
Lookout18.2K views
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite by IBM Security
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection SuiteThe Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
IBM Security1.9K views
Webinar: Beyond Two-Factor: Secure Access Control for Office 365 by SecureAuth
 Webinar: Beyond Two-Factor: Secure Access Control for Office 365 Webinar: Beyond Two-Factor: Secure Access Control for Office 365
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth587 views
Readying your IT Infrastructure for Cloud by RH
Readying your IT Infrastructure for CloudReadying your IT Infrastructure for Cloud
Readying your IT Infrastructure for Cloud
RH871 views

Similar to Designing customer account recovery in a 2FA world

MyCase Webinar: How to Run a Law Firm Remotely During COVID-19 by
MyCase Webinar: How to Run a Law Firm Remotely During COVID-19MyCase Webinar: How to Run a Law Firm Remotely During COVID-19
MyCase Webinar: How to Run a Law Firm Remotely During COVID-19MyCase Legal Case and Practice Management Software
1.9K views29 slides
Data Privacy & Security 101 (Series: One Hour Law School) by
Data Privacy & Security 101 (Series: One Hour Law School)Data Privacy & Security 101 (Series: One Hour Law School)
Data Privacy & Security 101 (Series: One Hour Law School)Financial Poise
111 views44 slides
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com by
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comFIDO Alliance
3K views42 slides
Bring Your Own Identity by
Bring Your Own IdentityBring Your Own Identity
Bring Your Own IdentityNetIQ
3.1K views18 slides
Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper... by
Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper...Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper...
Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper...AppFolio
267 views36 slides
Introduction to FIDO's Identity Verification & Binding Initiative by
Introduction to FIDO's Identity Verification & Binding Initiative Introduction to FIDO's Identity Verification & Binding Initiative
Introduction to FIDO's Identity Verification & Binding Initiative FIDO Alliance
2.4K views25 slides

Similar to Designing customer account recovery in a 2FA world(20)

Data Privacy & Security 101 (Series: One Hour Law School) by Financial Poise
Data Privacy & Security 101 (Series: One Hour Law School)Data Privacy & Security 101 (Series: One Hour Law School)
Data Privacy & Security 101 (Series: One Hour Law School)
Financial Poise111 views
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com by FIDO Alliance
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
FIDO Alliance3K views
Bring Your Own Identity by NetIQ
Bring Your Own IdentityBring Your Own Identity
Bring Your Own Identity
NetIQ3.1K views
Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper... by AppFolio
Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper...Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper...
Bridging the Gap: Thriving in the Real Estate Revolution with Stand-Out Exper...
AppFolio267 views
Introduction to FIDO's Identity Verification & Binding Initiative by FIDO Alliance
Introduction to FIDO's Identity Verification & Binding Initiative Introduction to FIDO's Identity Verification & Binding Initiative
Introduction to FIDO's Identity Verification & Binding Initiative
FIDO Alliance2.4K views
5 Key Principles to Boosting Profitability by AppFolio
5 Key Principles to Boosting Profitability5 Key Principles to Boosting Profitability
5 Key Principles to Boosting Profitability
AppFolio521 views
Javelin Research's State of Strong Authentication 2019 Report Webinar by FIDO Alliance
Javelin Research's State of Strong Authentication 2019 Report Webinar Javelin Research's State of Strong Authentication 2019 Report Webinar
Javelin Research's State of Strong Authentication 2019 Report Webinar
FIDO Alliance5.3K views
Normalization of Security Key User Experience by FIDO Alliance
Normalization of Security Key User ExperienceNormalization of Security Key User Experience
Normalization of Security Key User Experience
FIDO Alliance424 views
[Product Camp 2020] - The future of work: remote culture and fiverr business ... by Product Camp Brasil
[Product Camp 2020] - The future of work: remote culture and fiverr business ...[Product Camp 2020] - The future of work: remote culture and fiverr business ...
[Product Camp 2020] - The future of work: remote culture and fiverr business ...
Implementing New Technology: 5 Secrets to Maintaining Productivity and Profi... by AppFolio
Implementing New Technology:  5 Secrets to Maintaining Productivity and Profi...Implementing New Technology:  5 Secrets to Maintaining Productivity and Profi...
Implementing New Technology: 5 Secrets to Maintaining Productivity and Profi...
AppFolio244 views
The New Rules of Data-Driven Property Management: How to Turn Your Real-Time... by AppFolio
The New Rules of Data-Driven Property Management:  How to Turn Your Real-Time...The New Rules of Data-Driven Property Management:  How to Turn Your Real-Time...
The New Rules of Data-Driven Property Management: How to Turn Your Real-Time...
AppFolio432 views
From Meh to Yah: 10 Success Secrets for More Effective Events by Marketo
From Meh to Yah: 10 Success Secrets for More Effective EventsFrom Meh to Yah: 10 Success Secrets for More Effective Events
From Meh to Yah: 10 Success Secrets for More Effective Events
Marketo10.2K views
The Pitch: Essentials for Success, and Blunders to Avoid by Amazon Web Services
The Pitch: Essentials for Success, and Blunders to AvoidThe Pitch: Essentials for Success, and Blunders to Avoid
The Pitch: Essentials for Success, and Blunders to Avoid
Innovation Women - 7 Tips to Pivot Your Marketing by Innovation Women
Innovation Women - 7 Tips to Pivot Your MarketingInnovation Women - 7 Tips to Pivot Your Marketing
Innovation Women - 7 Tips to Pivot Your Marketing
Innovation Women38 views
How to augment On-premise Call Centers to Scale-out to the Cloud by Daniel Zivkovic
How to augment On-premise Call Centers to Scale-out to the CloudHow to augment On-premise Call Centers to Scale-out to the Cloud
How to augment On-premise Call Centers to Scale-out to the Cloud
Daniel Zivkovic175 views
AWS Startup Day Bogotá - Fundraising Essentials: Raising a Seed Round Efficie... by Amazon Web Services LATAM
AWS Startup Day Bogotá - Fundraising Essentials: Raising a Seed Round Efficie...AWS Startup Day Bogotá - Fundraising Essentials: Raising a Seed Round Efficie...
AWS Startup Day Bogotá - Fundraising Essentials: Raising a Seed Round Efficie...

More from Kelley Robinson

Protecting your phone verification flow from fraud & abuse by
Protecting your phone verification flow from fraud & abuseProtecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuseKelley Robinson
160 views33 slides
Introduction to Public Key Cryptography by
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key CryptographyKelley Robinson
219 views41 slides
Building a Better Scala Community by
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala CommunityKelley Robinson
355 views49 slides
BSides SF - Contact Center Authentication by
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationKelley Robinson
382 views42 slides
Communication @ Startups by
Communication @ StartupsCommunication @ Startups
Communication @ StartupsKelley Robinson
409 views39 slides
Contact Center Authentication by
Contact Center AuthenticationContact Center Authentication
Contact Center AuthenticationKelley Robinson
440 views53 slides

More from Kelley Robinson(20)

Protecting your phone verification flow from fraud & abuse by Kelley Robinson
Protecting your phone verification flow from fraud & abuseProtecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuse
Kelley Robinson160 views
Introduction to Public Key Cryptography by Kelley Robinson
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key Cryptography
Kelley Robinson219 views
Building a Better Scala Community by Kelley Robinson
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala Community
Kelley Robinson355 views
BSides SF - Contact Center Authentication by Kelley Robinson
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center Authentication
Kelley Robinson382 views
BSides PDX - Threat Modeling Authentication by Kelley Robinson
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
Kelley Robinson325 views
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018 by Kelley Robinson
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson185 views
Analyzing Pwned Passwords with Spark and Scala by Kelley Robinson
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson445 views
Analyzing Pwned Passwords with Spark and Scala by Kelley Robinson
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson632 views
Forget what you think you know: Redefining functional programming for Scala by Kelley Robinson
Forget what you think you know: Redefining functional programming for ScalaForget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson1.8K views
Functional Programming Essentials by Kelley Robinson
Functional Programming EssentialsFunctional Programming Essentials
Functional Programming Essentials
Kelley Robinson3.8K views

Recently uploaded

Searching in Data Structure by
Searching in Data StructureSearching in Data Structure
Searching in Data Structureraghavbirla63
7 views8 slides
SUMIT SQL PROJECT SUPERSTORE 1.pptx by
SUMIT SQL PROJECT SUPERSTORE 1.pptxSUMIT SQL PROJECT SUPERSTORE 1.pptx
SUMIT SQL PROJECT SUPERSTORE 1.pptxSumit Jadhav
13 views26 slides
_MAKRIADI-FOTEINI_diploma thesis.pptx by
_MAKRIADI-FOTEINI_diploma thesis.pptx_MAKRIADI-FOTEINI_diploma thesis.pptx
_MAKRIADI-FOTEINI_diploma thesis.pptxfotinimakriadi
8 views32 slides
NEW SUPPLIERS SUPPLIES (copie).pdf by
NEW SUPPLIERS SUPPLIES (copie).pdfNEW SUPPLIERS SUPPLIES (copie).pdf
NEW SUPPLIERS SUPPLIES (copie).pdfgeorgesradjou
15 views30 slides
Update 42 models(Diode/General ) in SPICE PARK(DEC2023) by
Update 42 models(Diode/General ) in SPICE PARK(DEC2023)Update 42 models(Diode/General ) in SPICE PARK(DEC2023)
Update 42 models(Diode/General ) in SPICE PARK(DEC2023)Tsuyoshi Horigome
28 views16 slides
GDSC Mikroskil Members Onboarding 2023.pdf by
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdfgdscmikroskil
51 views62 slides

Recently uploaded(20)

SUMIT SQL PROJECT SUPERSTORE 1.pptx by Sumit Jadhav
SUMIT SQL PROJECT SUPERSTORE 1.pptxSUMIT SQL PROJECT SUPERSTORE 1.pptx
SUMIT SQL PROJECT SUPERSTORE 1.pptx
Sumit Jadhav 13 views
_MAKRIADI-FOTEINI_diploma thesis.pptx by fotinimakriadi
_MAKRIADI-FOTEINI_diploma thesis.pptx_MAKRIADI-FOTEINI_diploma thesis.pptx
_MAKRIADI-FOTEINI_diploma thesis.pptx
fotinimakriadi8 views
NEW SUPPLIERS SUPPLIES (copie).pdf by georgesradjou
NEW SUPPLIERS SUPPLIES (copie).pdfNEW SUPPLIERS SUPPLIES (copie).pdf
NEW SUPPLIERS SUPPLIES (copie).pdf
georgesradjou15 views
Update 42 models(Diode/General ) in SPICE PARK(DEC2023) by Tsuyoshi Horigome
Update 42 models(Diode/General ) in SPICE PARK(DEC2023)Update 42 models(Diode/General ) in SPICE PARK(DEC2023)
Update 42 models(Diode/General ) in SPICE PARK(DEC2023)
GDSC Mikroskil Members Onboarding 2023.pdf by gdscmikroskil
GDSC Mikroskil Members Onboarding 2023.pdfGDSC Mikroskil Members Onboarding 2023.pdf
GDSC Mikroskil Members Onboarding 2023.pdf
gdscmikroskil51 views
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx by lwang78
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
2023Dec ASU Wang NETR Group Research Focus and Facility Overview.pptx
lwang7853 views
What is Whirling Hygrometer.pdf by IIT KHARAGPUR
What is Whirling Hygrometer.pdfWhat is Whirling Hygrometer.pdf
What is Whirling Hygrometer.pdf
IIT KHARAGPUR 12 views
Investigation of Physicochemical Changes of Soft Clay around Deep Geopolymer ... by AltinKaradagli
Investigation of Physicochemical Changes of Soft Clay around Deep Geopolymer ...Investigation of Physicochemical Changes of Soft Clay around Deep Geopolymer ...
Investigation of Physicochemical Changes of Soft Clay around Deep Geopolymer ...
AltinKaradagli9 views
Control Systems Feedback.pdf by LGGaming5
Control Systems Feedback.pdfControl Systems Feedback.pdf
Control Systems Feedback.pdf
LGGaming56 views
Instrumentation & Control Lab Manual.pdf by NTU Faisalabad
Instrumentation & Control Lab Manual.pdfInstrumentation & Control Lab Manual.pdf
Instrumentation & Control Lab Manual.pdf
NTU Faisalabad 5 views
Effect of deep chemical mixing columns on properties of surrounding soft clay... by AltinKaradagli
Effect of deep chemical mixing columns on properties of surrounding soft clay...Effect of deep chemical mixing columns on properties of surrounding soft clay...
Effect of deep chemical mixing columns on properties of surrounding soft clay...
AltinKaradagli6 views
Design of machine elements-UNIT 3.pptx by gopinathcreddy
Design of machine elements-UNIT 3.pptxDesign of machine elements-UNIT 3.pptx
Design of machine elements-UNIT 3.pptx
gopinathcreddy32 views

Designing customer account recovery in a 2FA world

  • 1. Designing customer account recovery in a 2FA world 👋 Kelley Robinson | Twilio " NorthSec 2020 © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 3. Designing customer account recovery in a 2FA world © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 4. © 2020 TWILIO INC. ALL RIGHTS RESERVED. 👋#🔐 Kelley Robinson @kelleyrobinson
  • 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. LIFE. HAPPENS.
  • 6. Average cost of a support call for account recovery:
 $40 - $70/call © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018
  • 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTOR TRADEOFFS
  • 8. © 2019 TWILIO INC. ALL RIGHTS RESERVED. KNOWLEDGE Examples Passwords, security questions, account details Pros Common, easy to implement, easy to onboard Cons Answers can be leaked or researched, humans are forgetful
  • 9. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE Examples Fingerprint, voice recognition, keystroke analysis Pros Can't lose or forget, easy to use Cons Can't reset or replace
  • 10. © 2019 TWILIO INC. ALL RIGHTS RESERVED. POSSESSION Examples Mobile phone, backup codes, hardware tokens Pros Can use common devices, some are not phishable Cons Humans lose and replace things, harder to set up
  • 11. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  • 12. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging Pros Not reused like passwords, usually hard to brute force Cons Hard to store Debatable solution Email users backup codes? https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  • 13. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOVERY EXAMPLES
  • 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://us.etrade.com/security-center/securityid <redacted> • Uses Symantec Security ID • Requires that you contact customer support to update the 2FA when you get a new phone • Limited authentication on the phone
  • 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://twil.io/cc-auth
  • 16. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Authy • Two factors required for account recovery • 1-4 day waiting period • Adaptive auth with stronger requirements depending on the lost factor
  • 17. © 2019 TWILIO INC. ALL RIGHTS RESERVED. GitHub • Recovery tokens at setup • Fallback options (SMS, Facebook "recover accounts elsewhere") • Access tokens, SSH Keys GitHub Support: Recovering your account if you lose your 2FA credentials Recover accounts elsewhere • Anecdotally: fork the account then after a 6 month waiting period, you can reclaim your dormant username
  • 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Facebook • Uses existing "friends" feature for trusted contact recovery Facebook Trusted Contacts
  • 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOMMENDATIONS
  • 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Require users to register more factors than they need to log in
  • 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Design your recovery process based on the value your business is protecting ✅ Do
  • 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. "It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them." Cormac Herley | The Rational Rejection of Security Advice by Users (2016)
  • 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Be intentional about if and who you allow to reset 2FA Add guardrails for agents 😬 ✅ Do
  • 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about recovery options twitter.com ✅ Do
  • 25. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about 2FA before common phone change times i.e. holidays, new iPhone releases ✅ Do
  • 26. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Force users to complete one successful 2FA before enabling 2FA N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n https://isrl.byu.edu/pubs/sp2018.pdf ✅ Do
  • 27. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Add waiting periods for sensitive recoveries
  • 28. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Github Account Recovery
  • 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://exchange.gemini.com/signin/forgot
  • 30. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤷 Debate! • Automatically email backup codes • Trusted contact authorization • Linked site authorization (i.e. Keybase) • SMS fallback https://book.keybase.io/docs/server • BLOCKCHAIN???
  • 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Only use one factor for account recovery
  • 32. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Deactivate 2FA on account recovery
  • 33. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Give up on 2FA
  • 34. ℹ Support costs relative to losses ⬇ 😈 Number of compromised accounts ⬇ © 2020 TWILIO INC. ALL RIGHTS RESERVED. 💰 Losses due to account takeover ⬇ 😃 User satisfaction ⬆ MEASURING SUCCESS