Successfully reported this slideshow.

Designing customer account recovery in a 2FA world

0

Share

Jun. 22, 2020
0 likes 328 views
Upcoming SlideShare
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
Loading in …3
×
1 of 35
1 of 35

Designing customer account recovery in a 2FA world

Jun. 22, 2020
0 likes 328 views

0

Share

Download to read offline

Engineering

You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

Engineering

Recommended

More Related Content

Similar to Designing customer account recovery in a 2FA world

Authentication Beyond SMS
Kelley Robinson
Webinar: Goodbye RSA. Hello Modern Authentication.
SecureAuth
Fragments-Plug the vulnerabilities in your App
Appsecco
IRJET- Password Management Kit for Secure Authentication
IRJET Journal
OWASP Top 10 Proactive Control 2016 (C5-C10)
Narudom Roongsiriwong, CISSP
Mobile payments: A history of [in]security
CanadianCIO (IT World Canada)
Refugees on Rails Berlin - #2 Tech Talk on Security
Gianluca Varisco
What is two factor or multi-factor authentication
Jack Forbes
Generic threats to mobile application
Vikrant Kansal
Password Policies in Oracle Access Manager. How to improve user authenticatio...
Andrejs Prokopjevs
LF_APIStrat17_OWASP’s Latest Category: API Underprotection
LF_APIStrat
Sira insights from cloud vendor risk assessments
Cary Sholer
Wrangle Your Defense Using Offensive Tactics - ISSA May Meeting
Matt Dunn
Cutting out the middleman: Man-in-the-middle attacks and prevention for mobil...
NowSecure

More from Kelley Robinson

Auth on the web: better authentication
Kelley Robinson
WebAuthn
Kelley Robinson
Introduction to Public Key Cryptography
Kelley Robinson
2FA in 2020 and Beyond
Kelley Robinson
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
Introduction to SHAKEN/STIR
Kelley Robinson
Intro to SHAKEN/STIR
Kelley Robinson
PSD2, SCA, WTF?
Kelley Robinson
Building a Better Scala Community
Kelley Robinson
BSides SF - Contact Center Authentication
Kelley Robinson
Communication @ Startups
Kelley Robinson
Contact Center Authentication
Kelley Robinson
SIGNAL - Practical Cryptography
Kelley Robinson
2FA Best Practices
Kelley Robinson
Practical Cryptography
Kelley Robinson
2FA, WTF!?
Kelley Robinson
2FA WTF
Kelley Robinson
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
Practical Cryptography
Kelley Robinson

Featured

What to Upload to SlideShare
SlideShare
Be A Great Product Leader (Amplify, Oct 2019)
Adam Nash
Trillion Dollar Coach Book (Bill Campbell)
Eric Schmidt
APIdays Paris 2019 - Innovation @ scale, APIs as Digital Factories' New Machi...
apidays
A few thoughts on work life-balance
Wim Vanderbauwhede
Is vc still a thing final
Mark Suster
The GaryVee Content Model
Gary Vaynerchuk
Mammalian Brain Chemistry Explains Everything
Loretta Breuning, PhD
Blockchain + AI + Crypto Economics Are We Creating a Code Tsunami?
Dinis Guarda
The AI Rush
Jean-Baptiste Dumont
AI and Machine Learning Demystified by Carol Smith at Midwest UX 2017
Carol Smith
10 facts about jobs in the future
Pew Research Center's Internet & American Life Project
Harry Surden - Artificial Intelligence and Law Overview
Harry Surden
Inside Google's Numbers in 2017
Rand Fishkin
Pinot: Realtime Distributed OLAP datastore
Kishore Gopalakrishna
How to Become a Thought Leader in Your Niche
Leslie Samuel
Visual Design with Data
Seth Familian
Designing Teams for Emerging Challenges
Aaron Irizarry
UX, ethnography and possibilities: for Libraries, Museums and Archives
Ned Potter
Winners and Losers - All the (Russian) President's Men
Ian Bremmer

Related Books

Free with a 14 day trial from Scribd

See all
Bezonomics: How Amazon Is Changing Our Lives and What the World's Best Companies Are Learning from It Brian Dumaine
(4/5)
Free
No Filter: The Inside Story of Instagram Sarah Frier
(4.5/5)
Free
Autonomy: The Quest to Build the Driverless Car—And How It Will Reshape Our World Lawrence D. Burns
(5/5)
Free
Talk to Me: How Voice Computing Will Transform the Way We Live, Work, and Think James Vlahos
(4/5)
Free
From Gutenberg to Google: The History of Our Future Tom Wheeler
(3.5/5)
Free
SAM: One Robot, a Dozen Engineers, and the Race to Revolutionize the Way We Build Jonathan Waldman
(5/5)
Free
The Future Is Faster Than You Think: How Converging Technologies Are Transforming Business, Industries, and Our Lives Peter H. Diamandis
(4.5/5)
Free
So You Want to Start a Podcast: Finding Your Voice, Telling Your Story, and Building a Community That Will Listen Kristen Meinzer
(3.5/5)
Free
Everybody Lies: Big Data, New Data, and What the Internet Can Tell Us About Who We Really Are Seth Stephens-Davidowitz
(4.5/5)
Free
Life After Google: The Fall of Big Data and the Rise of the Blockchain Economy George Gilder
(4/5)
Free
Future Presence: How Virtual Reality Is Changing Human Connection, Intimacy, and the Limits of Ordinary Life Peter Rubin
(4/5)
Free
Live Work Work Work Die: A Journey into the Savage Heart of Silicon Valley Corey Pein
(4.5/5)
Free
Ninety Percent of Everything: Inside Shipping, the Invisible Industry That Puts Clothes on Your Back, Gas in Your Car, and Food on Your Plate Rose George
(4/5)
Free
Carrying the Fire: 50th Anniversary Edition Michael Collins
(4.5/5)
Free
Island of the Lost: An Extraordinary Story of Survival at the Edge of the World Joan Druett
(4/5)
Free
The Basics of Bitcoins and Blockchains: An Introduction to Cryptocurrencies and the Technology that Powers Them (Cryptography, Derivatives Investments, Futures Trading, Digital Assets, NFT) Antony Lewis
(4/5)
Free

Related Audiobooks

Free with a 14 day trial from Scribd

See all
Einstein's Fridge: How the Difference Between Hot and Cold Explains the Universe Paul Sen
(4.5/5)
Free
After Steve: How Apple Became a Trillion-Dollar Company and Lost its Soul Tripp Mickle
(4.5/5)
Free
The Quiet Zone: Unraveling the Mystery of a Town Suspended in Silence Stephen Kurczy
(4.5/5)
Free
The Wires of War: Technology and the Global Struggle for Power Jacob Helberg
(4/5)
Free
System Error: Where Big Tech Went Wrong and How We Can Reboot Rob Reich
(4.5/5)
Free
If Then: How the Simulmatics Corporation Invented the Future Jill Lepore
(4.5/5)
Free
Liftoff: Elon Musk and the Desperate Early Days That Launched SpaceX Eric Berger
(5/5)
Free
The Science of Time Travel: The Secrets Behind Time Machines, Time Loops, Alternate Realities, and More! Elizabeth Howell
(3/5)
Free
A Brief History of Motion: From the Wheel, to the Car, to What Comes Next Tom Standage
(4/5)
Free
An Ugly Truth: Inside Facebook’s Battle for Domination Sheera Frenkel
(4.5/5)
Free
Bitcoin Billionaires: A True Story of Genius, Betrayal, and Redemption Ben Mezrich
(4.5/5)
Free
The Players Ball: A Genius, a Con Man, and the Secret History of the Internet's Rise David Kushner
(4.5/5)
Free
User Friendly: How the Hidden Rules of Design Are Changing the Way We Live, Work, and Play Cliff Kuang
(4.5/5)
Free
Lean Out: The Truth About Women, Power, and the Workplace Marissa Orr
(4.5/5)
Free
Blockchain: The Next Everything Stephen P. Williams
(4/5)
Free
Uncanny Valley: A Memoir Anna Wiener
(4/5)
Free

Designing customer account recovery in a 2FA world

  1. 1. Designing customer account recovery in a 2FA world 👋 Kelley Robinson | Twilio " NorthSec 2020 © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  2. 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  3. 3. Designing customer account recovery in a 2FA world © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  4. 4. © 2020 TWILIO INC. ALL RIGHTS RESERVED. 👋#🔐 Kelley Robinson @kelleyrobinson
  5. 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. LIFE. HAPPENS.
  6. 6. Average cost of a support call for account recovery:
 $40 - $70/call © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018
  7. 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTOR TRADEOFFS
  8. 8. © 2019 TWILIO INC. ALL RIGHTS RESERVED. KNOWLEDGE Examples Passwords, security questions, account details Pros Common, easy to implement, easy to onboard Cons Answers can be leaked or researched, humans are forgetful
  9. 9. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE Examples Fingerprint, voice recognition, keystroke analysis Pros Can't lose or forget, easy to use Cons Can't reset or replace
  10. 10. © 2019 TWILIO INC. ALL RIGHTS RESERVED. POSSESSION Examples Mobile phone, backup codes, hardware tokens Pros Can use common devices, some are not phishable Cons Humans lose and replace things, harder to set up
  11. 11. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  12. 12. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging Pros Not reused like passwords, usually hard to brute force Cons Hard to store Debatable solution Email users backup codes? https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  13. 13. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOVERY EXAMPLES
  14. 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://us.etrade.com/security-center/securityid <redacted> • Uses Symantec Security ID • Requires that you contact customer support to update the 2FA when you get a new phone • Limited authentication on the phone
  15. 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://twil.io/cc-auth
  16. 16. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Authy • Two factors required for account recovery • 1-4 day waiting period • Adaptive auth with stronger requirements depending on the lost factor
  17. 17. © 2019 TWILIO INC. ALL RIGHTS RESERVED. GitHub • Recovery tokens at setup • Fallback options (SMS, Facebook "recover accounts elsewhere") • Access tokens, SSH Keys GitHub Support: Recovering your account if you lose your 2FA credentials Recover accounts elsewhere • Anecdotally: fork the account then after a 6 month waiting period, you can reclaim your dormant username
  18. 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Facebook • Uses existing "friends" feature for trusted contact recovery Facebook Trusted Contacts
  19. 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOMMENDATIONS
  20. 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Require users to register more factors than they need to log in
  21. 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Design your recovery process based on the value your business is protecting ✅ Do
  22. 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. "It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them." Cormac Herley | The Rational Rejection of Security Advice by Users (2016)
  23. 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Be intentional about if and who you allow to reset 2FA Add guardrails for agents 😬 ✅ Do
  24. 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about recovery options twitter.com ✅ Do
  25. 25. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about 2FA before common phone change times i.e. holidays, new iPhone releases ✅ Do
  26. 26. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Force users to complete one successful 2FA before enabling 2FA N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n https://isrl.byu.edu/pubs/sp2018.pdf ✅ Do
  27. 27. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Add waiting periods for sensitive recoveries
  28. 28. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Github Account Recovery
  29. 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://exchange.gemini.com/signin/forgot
  30. 30. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤷 Debate! • Automatically email backup codes • Trusted contact authorization • Linked site authorization (i.e. Keybase) • SMS fallback https://book.keybase.io/docs/server • BLOCKCHAIN???
  31. 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Only use one factor for account recovery
  32. 32. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Deactivate 2FA on account recovery
  33. 33. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Give up on 2FA
  34. 34. ℹ Support costs relative to losses ⬇ 😈 Number of compromised accounts ⬇ © 2020 TWILIO INC. ALL RIGHTS RESERVED. 💰 Losses due to account takeover ⬇ 😃 User satisfaction ⬆ MEASURING SUCCESS
  35. 35. THANK YOU @kelleyrobinson

×