Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Designing customer account recovery in a 2FA world

You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

  • Be the first to comment

  • Be the first to like this

Designing customer account recovery in a 2FA world

  1. 1. Designing customer account recovery in a 2FA world 👋 Kelley Robinson | Twilio " NorthSec 2020 © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  2. 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  3. 3. Designing customer account recovery in a 2FA world © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  4. 4. © 2020 TWILIO INC. ALL RIGHTS RESERVED. 👋#🔐 Kelley Robinson @kelleyrobinson
  5. 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. LIFE. HAPPENS.
  6. 6. Average cost of a support call for account recovery:
 $40 - $70/call © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018
  7. 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTOR TRADEOFFS
  8. 8. © 2019 TWILIO INC. ALL RIGHTS RESERVED. KNOWLEDGE Examples Passwords, security questions, account details Pros Common, easy to implement, easy to onboard Cons Answers can be leaked or researched, humans are forgetful
  9. 9. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE Examples Fingerprint, voice recognition, keystroke analysis Pros Can't lose or forget, easy to use Cons Can't reset or replace
  10. 10. © 2019 TWILIO INC. ALL RIGHTS RESERVED. POSSESSION Examples Mobile phone, backup codes, hardware tokens Pros Can use common devices, some are not phishable Cons Humans lose and replace things, harder to set up
  11. 11. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  12. 12. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging Pros Not reused like passwords, usually hard to brute force Cons Hard to store Debatable solution Email users backup codes? https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  13. 13. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOVERY EXAMPLES
  14. 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://us.etrade.com/security-center/securityid <redacted> • Uses Symantec Security ID • Requires that you contact customer support to update the 2FA when you get a new phone • Limited authentication on the phone
  15. 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://twil.io/cc-auth
  16. 16. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Authy • Two factors required for account recovery • 1-4 day waiting period • Adaptive auth with stronger requirements depending on the lost factor
  17. 17. © 2019 TWILIO INC. ALL RIGHTS RESERVED. GitHub • Recovery tokens at setup • Fallback options (SMS, Facebook "recover accounts elsewhere") • Access tokens, SSH Keys GitHub Support: Recovering your account if you lose your 2FA credentials Recover accounts elsewhere • Anecdotally: fork the account then after a 6 month waiting period, you can reclaim your dormant username
  18. 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Facebook • Uses existing "friends" feature for trusted contact recovery Facebook Trusted Contacts
  19. 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOMMENDATIONS
  20. 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Require users to register more factors than they need to log in
  21. 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Design your recovery process based on the value your business is protecting ✅ Do
  22. 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. "It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them." Cormac Herley | The Rational Rejection of Security Advice by Users (2016)
  23. 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Be intentional about if and who you allow to reset 2FA Add guardrails for agents 😬 ✅ Do
  24. 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about recovery options twitter.com ✅ Do
  25. 25. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about 2FA before common phone change times i.e. holidays, new iPhone releases ✅ Do
  26. 26. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Force users to complete one successful 2FA before enabling 2FA N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n https://isrl.byu.edu/pubs/sp2018.pdf ✅ Do
  27. 27. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Add waiting periods for sensitive recoveries
  28. 28. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Github Account Recovery
  29. 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://exchange.gemini.com/signin/forgot
  30. 30. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤷 Debate! • Automatically email backup codes • Trusted contact authorization • Linked site authorization (i.e. Keybase) • SMS fallback https://book.keybase.io/docs/server • BLOCKCHAIN???
  31. 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Only use one factor for account recovery
  32. 32. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Deactivate 2FA on account recovery
  33. 33. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Give up on 2FA
  34. 34. ℹ Support costs relative to losses ⬇ 😈 Number of compromised accounts ⬇ © 2020 TWILIO INC. ALL RIGHTS RESERVED. 💰 Losses due to account takeover ⬇ 😃 User satisfaction ⬆ MEASURING SUCCESS
  35. 35. THANK YOU @kelleyrobinson

×