SlideShare a Scribd company logo

Identiverse 2020 - Account Recovery with 2FA

K
Kelley Robinson

You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead.

Engineering
1 of 32
Download to read offline
KELLEY ROBINSON | TWILIO DESIGNING CUSTOMER ACCOUNT RECOVERY IN A 2FA WORLD
© 2020 TWILIO INC. ALL RIGHTS RESERVED. 👋"🔐 Kelley Robinson @kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED. LIFE. HAPPENS.
© 2019 TWILIO INC. ALL RIGHTS RESERVED. What is Account Recovery? • Replacing factors which lost access • Proving identity to gain access to an existing account
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Account recovery is, in essence, a bypass of the main account security protocols, and therefore should be treated as an alternative authentication system. Mark Loveless | Decipher, 2018
Average cost of a support call for account recovery:
 $40 - $70/call © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018
© 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTOR TRADEOFFS
© 2019 TWILIO INC. ALL RIGHTS RESERVED. KNOWLEDGE Examples Passwords, security questions, account details Pros Common, easy to implement, easy to onboard Cons Answers can be leaked or researched, humans are forgetful
© 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE Examples Fingerprint, voice recognition, keystroke analysis Pros Can't lose or forget, easy to use Cons Can't reset or replace
© 2019 TWILIO INC. ALL RIGHTS RESERVED. POSSESSION Examples Mobile phone, backup codes, hardware tokens Pros Can use common devices, some are not phishable Cons Humans lose and replace things, harder to set up
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging Pros Not reused like passwords, usually hard to brute force Cons Easy to lose, no standard way to store https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
© 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOVERY EXAMPLES
© 2019 TWILIO INC. ALL RIGHTS RESERVED. https://us.etrade.com/security-center/securityid E*Trade • Uses Symantec Security ID • Requires that you contact customer support to update the 2FA when you get a new phone • Limited authentication on the phone
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Authy • Two factors required for account recovery • 1-4 day waiting period • Adaptive auth with stronger requirements depending on the lost factor
© 2019 TWILIO INC. ALL RIGHTS RESERVED. GitHub • Recovery tokens at setup • Fallback options (SMS, Facebook "recover accounts elsewhere") • Access tokens, SSH Keys GitHub Support: Recovering your account if you lose your 2FA credentials Recover accounts elsewhere • Anecdotally: fork the account then after a 6 month waiting period, you can reclaim your dormant username
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Facebook • Uses existing "friends" feature for trusted contact recovery Facebook Trusted Contacts
© 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOMMENDATIONS
© 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Require users to register more factors than they need to log in
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Design your recovery process based on the value your business is protecting ✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED. "It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them." Cormac Herley | The Rational Rejection of Security Advice by Users (2016)
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Be intentional about if and who you allow to reset 2FA Add guardrails for agents 😬 ✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about recovery options twitter.com ✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about 2FA before common phone change times i.e. holidays, new iPhone releases ✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Force users to complete one successful 2FA before enabling 2FA N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n https://isrl.byu.edu/pubs/sp2018.pdf ✅ Do
© 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Add waiting periods for sensitive recoveries
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Github Account Recovery
© 2019 TWILIO INC. ALL RIGHTS RESERVED. https://exchange.gemini.com/signin/forgot
© 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Only use one factor for account recovery
© 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Deactivate 2FA on account recovery
© 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Give up on 2FA
32 THANK YOU! @KELLEYROBINSON

Recommended

Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
Raúl cuero rengifo
Raúl cuero rengifoRaúl cuero rengifo
Raúl cuero rengifopaolaandrea1833
 
VMware が考えるコンテナと Kubernetes の世界
VMware が考えるコンテナと Kubernetes の世界VMware が考えるコンテナと Kubernetes の世界
VMware が考えるコンテナと Kubernetes の世界Yuichi Tamagawa
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSITorsten Lodderstedt
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Jun Kurihara
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
VRF Lab WorkBook
VRF Lab WorkBookVRF Lab WorkBook
VRF Lab WorkBookRHC Technologies
 

Recommended

Deploying IPv6 on OpenStack
Deploying IPv6 on OpenStackDeploying IPv6 on OpenStack
Deploying IPv6 on OpenStackVietnam Open Infrastructure User Group
 
Raúl cuero rengifo
Raúl cuero rengifoRaúl cuero rengifo
Raúl cuero rengifopaolaandrea1833
 
VMware が考えるコンテナと Kubernetes の世界
VMware が考えるコンテナと Kubernetes の世界VMware が考えるコンテナと Kubernetes の世界
VMware が考えるコンテナと Kubernetes の世界Yuichi Tamagawa
 
OpenID for SSI
OpenID for SSIOpenID for SSI
OpenID for SSITorsten Lodderstedt
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Santiago Bassett
 
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --
Modern Authentication -- FIDO2 Web Authentication (WebAuthn) を学ぶ --Jun Kurihara
 
OpenID for Verifiable Credentials
OpenID for Verifiable CredentialsOpenID for Verifiable Credentials
OpenID for Verifiable CredentialsTorsten Lodderstedt
 
VRF Lab WorkBook
VRF Lab WorkBookVRF Lab WorkBook
VRF Lab WorkBookRHC Technologies
 
LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
Electrodistributeurs 5 voies SMC - Série SY
Electrodistributeurs 5 voies SMC - Série SYElectrodistributeurs 5 voies SMC - Série SY
Electrodistributeurs 5 voies SMC - Série SYSMC Pneumatique
 
使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式Will Huang
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdumpalex wade
 
你一定不能不知道的 Markdown 寫作技巧
你一定不能不知道的 Markdown 寫作技巧你一定不能不知道的 Markdown 寫作技巧
你一定不能不知道的 Markdown 寫作技巧Will Huang
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Arie Vayner
 
MOBILE APP DEVELOPMENT USING PYTHON
MOBILE APP DEVELOPMENT USING PYTHONMOBILE APP DEVELOPMENT USING PYTHON
MOBILE APP DEVELOPMENT USING PYTHONPriyadharshiniVS
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog ProtocolsMartin Schütte
 
データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例Yahoo!デベロッパーネットワーク
 
NAGRA KUDELSKI - Overview and Analysis
NAGRA KUDELSKI - Overview and AnalysisNAGRA KUDELSKI - Overview and Analysis
NAGRA KUDELSKI - Overview and AnalysisPiyushi Chaudhary
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
漢のPort forwarding
漢のPort forwarding漢のPort forwarding
漢のPort forwardingMinoru Nakata
 
PADで新幹線領収書をOCR Tesseractインストール
PADで新幹線領収書をOCR TesseractインストールPADで新幹線領収書をOCR Tesseractインストール
PADで新幹線領収書をOCR Tesseractインストール株式会社シーエーシー RPAソリューション
 
MicroPythonのCモジュールを作ってみる
MicroPythonのCモジュールを作ってみるMicroPythonのCモジュールを作ってみる
MicroPythonのCモジュールを作ってみるKenta IDA
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Cisco Canada
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
FIDO2導入とヤフーがめざすパスワードレスの世界
FIDO2導入とヤフーがめざすパスワードレスの世界FIDO2導入とヤフーがめざすパスワードレスの世界
FIDO2導入とヤフーがめざすパスワードレスの世界FIDO Alliance
 
Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Mainstay
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2FIDO Alliance
 
Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldKelley Robinson
 
2FA in 2020 and Beyond
2FA in 2020 and Beyond2FA in 2020 and Beyond
2FA in 2020 and BeyondKelley Robinson
 

More Related Content

What's hot

LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望FIDO Alliance
 
Electrodistributeurs 5 voies SMC - Série SY
Electrodistributeurs 5 voies SMC - Série SYElectrodistributeurs 5 voies SMC - Série SY
Electrodistributeurs 5 voies SMC - Série SYSMC Pneumatique
 
使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式Will Huang
 
你一定不能不知道的 Markdown 寫作技巧
你一定不能不知道的 Markdown 寫作技巧你一定不能不知道的 Markdown 寫作技巧
你一定不能不知道的 Markdown 寫作技巧Will Huang
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Arie Vayner
 
MOBILE APP DEVELOPMENT USING PYTHON
MOBILE APP DEVELOPMENT USING PYTHONMOBILE APP DEVELOPMENT USING PYTHON
MOBILE APP DEVELOPMENT USING PYTHONPriyadharshiniVS
 
NAGRA KUDELSKI - Overview and Analysis
NAGRA KUDELSKI - Overview and AnalysisNAGRA KUDELSKI - Overview and Analysis
NAGRA KUDELSKI - Overview and AnalysisPiyushi Chaudhary
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationFIDO Alliance
 
漢のPort forwarding
漢のPort forwarding漢のPort forwarding
漢のPort forwardingMinoru Nakata
 
MicroPythonのCモジュールを作ってみる
MicroPythonのCモジュールを作ってみるMicroPythonのCモジュールを作ってみる
MicroPythonのCモジュールを作ってみるKenta IDA
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Cisco Canada
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Kristina Yasuda
 
Spring Security
Spring SecuritySpring Security
Spring SecuritySumit Gole
 
FIDO2導入とヤフーがめざすパスワードレスの世界
FIDO2導入とヤフーがめざすパスワードレスの世界FIDO2導入とヤフーがめざすパスワードレスの世界
FIDO2導入とヤフーがめざすパスワードレスの世界FIDO Alliance
 
Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Mainstay
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2FIDO Alliance
 

What's hot (20)

LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望LINEのFIDO導入と将来展望
LINEのFIDO導入と将来展望
 
Electrodistributeurs 5 voies SMC - Série SY
Electrodistributeurs 5 voies SMC - Série SYElectrodistributeurs 5 voies SMC - Série SY
Electrodistributeurs 5 voies SMC - Série SY
 
使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式使用 Visual Studio Code 建構 JavaScript 應用程式
使用 Visual Studio Code 建構 JavaScript 應用程式
 
F5 tcpdump
F5 tcpdumpF5 tcpdump
F5 tcpdump
 
你一定不能不知道的 Markdown 寫作技巧
你一定不能不知道的 Markdown 寫作技巧你一定不能不知道的 Markdown 寫作技巧
你一定不能不知道的 Markdown 寫作技巧
 
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
Embedded Event Manager (EEM) on IOS (CiscoLive 2015)
 
MOBILE APP DEVELOPMENT USING PYTHON
MOBILE APP DEVELOPMENT USING PYTHONMOBILE APP DEVELOPMENT USING PYTHON
MOBILE APP DEVELOPMENT USING PYTHON
 
Syslog Protocols
Syslog ProtocolsSyslog Protocols
Syslog Protocols
 
データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例データセンターネットワークでのPrometheus活用事例
データセンターネットワークでのPrometheus活用事例
 
NAGRA KUDELSKI - Overview and Analysis
NAGRA KUDELSKI - Overview and AnalysisNAGRA KUDELSKI - Overview and Analysis
NAGRA KUDELSKI - Overview and Analysis
 
Securing a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web AuthenticationSecuring a Web App with Passwordless Web Authentication
Securing a Web App with Passwordless Web Authentication
 
漢のPort forwarding
漢のPort forwarding漢のPort forwarding
漢のPort forwarding
 
PADで新幹線領収書をOCR Tesseractインストール
PADで新幹線領収書をOCR TesseractインストールPADで新幹線領収書をOCR Tesseractインストール
PADで新幹線領収書をOCR Tesseractインストール
 
MicroPythonのCモジュールを作ってみる
MicroPythonのCモジュールを作ってみるMicroPythonのCモジュールを作ってみる
MicroPythonのCモジュールを作ってみる
 
Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...Integration and Interoperation of existing Nexus networks into an ACI Archite...
Integration and Interoperation of existing Nexus networks into an ACI Archite...
 
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
Self-issued OpenID Provider_OpenID Foundation Virtual Workshop
 
Spring Security
Spring SecuritySpring Security
Spring Security
 
FIDO2導入とヤフーがめざすパスワードレスの世界
FIDO2導入とヤフーがめざすパスワードレスの世界FIDO2導入とヤフーがめざすパスワードレスの世界
FIDO2導入とヤフーがめざすパスワードレスの世界
 
Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16Ericsson hds 8000 wp 16
Ericsson hds 8000 wp 16
 
Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2Microsoft's Implementation Roadmap for FIDO2
Microsoft's Implementation Roadmap for FIDO2
 

Similar to Identiverse 2020 - Account Recovery with 2FA

Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldKelley Robinson
 
Auth on the web: better authentication
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authenticationKelley Robinson
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comFIDO Alliance
 
Bring Your Own Identity
Bring Your Own IdentityBring Your Own Identity
Bring Your Own IdentityNetIQ
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...CA API Management
 
FIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance
 
Javelin Research's State of Strong Authentication 2019 Report Webinar
Javelin Research's State of Strong Authentication 2019 Report Webinar Javelin Research's State of Strong Authentication 2019 Report Webinar
Javelin Research's State of Strong Authentication 2019 Report Webinar FIDO Alliance
 
Data Privacy & Security 101 (Series: One Hour Law School)
Data Privacy & Security 101 (Series: One Hour Law School)Data Privacy & Security 101 (Series: One Hour Law School)
Data Privacy & Security 101 (Series: One Hour Law School)Financial Poise
 
FIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Alliance
 
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...Visa
 
Fido--consumer research -report apDF so lets
Fido--consumer research -report apDF so letsFido--consumer research -report apDF so lets
Fido--consumer research -report apDF so letsriffkathleen
 
Introduction to FIDO's Identity Verification & Binding Initiative
Introduction to FIDO's Identity Verification & Binding Initiative Introduction to FIDO's Identity Verification & Binding Initiative
Introduction to FIDO's Identity Verification & Binding Initiative FIDO Alliance
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO Alliance
 
人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用Amazon Web Services
 

Similar to Identiverse 2020 - Account Recovery with 2FA (20)

Designing customer account recovery in a 2FA world
Designing customer account recovery in a 2FA worldDesigning customer account recovery in a 2FA world
Designing customer account recovery in a 2FA world
 
2FA in 2020 and Beyond
2FA in 2020 and Beyond2FA in 2020 and Beyond
2FA in 2020 and Beyond
 
2FA Best Practices
2FA Best Practices2FA Best Practices
2FA Best Practices
 
WebAuthn
WebAuthnWebAuthn
WebAuthn
 
Auth on the web: better authentication
Auth on the web: better authenticationAuth on the web: better authentication
Auth on the web: better authentication
 
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.comConsumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
Consumer Attitudes Toward Strong Authentication & LoginWithFIDO.com
 
What is a Bot and why you should care
What is a Bot and why you should careWhat is a Bot and why you should care
What is a Bot and why you should care
 
PSD2, SCA, WTF?
PSD2, SCA, WTF?PSD2, SCA, WTF?
PSD2, SCA, WTF?
 
Bring Your Own Identity
Bring Your Own IdentityBring Your Own Identity
Bring Your Own Identity
 
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
Managing Identity by Giving Up Control - Scott Morrison, SVP & Distinguished ...
 
FIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards AuthenticationFIDO Alliance Research: Consumer Attitudes Towards Authentication
FIDO Alliance Research: Consumer Attitudes Towards Authentication
 
Javelin Research's State of Strong Authentication 2019 Report Webinar
Javelin Research's State of Strong Authentication 2019 Report Webinar Javelin Research's State of Strong Authentication 2019 Report Webinar
Javelin Research's State of Strong Authentication 2019 Report Webinar
 
Data Privacy & Security 101 (Series: One Hour Law School)
Data Privacy & Security 101 (Series: One Hour Law School)Data Privacy & Security 101 (Series: One Hour Law School)
Data Privacy & Security 101 (Series: One Hour Law School)
 
FIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo JapanFIDO Authentication Account Recovery Framework at Yahoo Japan
FIDO Authentication Account Recovery Framework at Yahoo Japan
 
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
CyberSource MRC Survey - Top 9 Fraud Attacks and Winning Mitigating Strategie...
 
Fido--consumer research -report apDF so lets
Fido--consumer research -report apDF so letsFido--consumer research -report apDF so lets
Fido--consumer research -report apDF so lets
 
Introduction to FIDO's Identity Verification & Binding Initiative
Introduction to FIDO's Identity Verification & Binding Initiative Introduction to FIDO's Identity Verification & Binding Initiative
Introduction to FIDO's Identity Verification & Binding Initiative
 
FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial FIDO UAF Specifications: Overview & Tutorial
FIDO UAF Specifications: Overview & Tutorial
 
IoT13: Etherios showcase
IoT13: Etherios showcaseIoT13: Etherios showcase
IoT13: Etherios showcase
 
人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用人工智慧雲服務與金融服務應用
人工智慧雲服務與金融服務應用
 

More from Kelley Robinson

Protecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuseProtecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuseKelley Robinson
 
Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Kelley Robinson
 
Introduction to Public Key Cryptography
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key CryptographyKelley Robinson
 
Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIRKelley Robinson
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala CommunityKelley Robinson
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationKelley Robinson
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ StartupsKelley Robinson
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center AuthenticationKelley Robinson
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMSKelley Robinson
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationKelley Robinson
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical CryptographyKelley Robinson
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaKelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaKelley Robinson
 

More from Kelley Robinson (20)

Protecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuseProtecting your phone verification flow from fraud & abuse
Protecting your phone verification flow from fraud & abuse
 
Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)Preventing phone verification fraud (SMS pumping)
Preventing phone verification fraud (SMS pumping)
 
Introduction to Public Key Cryptography
Introduction to Public Key CryptographyIntroduction to Public Key Cryptography
Introduction to Public Key Cryptography
 
Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIR
 
Intro to SHAKEN/STIR
Intro to SHAKEN/STIRIntro to SHAKEN/STIR
Intro to SHAKEN/STIR
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala Community
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center Authentication
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ Startups
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center Authentication
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMS
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical Cryptography
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
2FA, WTF!?
2FA, WTF!?2FA, WTF!?
2FA, WTF!?
 
2FA WTF
2FA WTF2FA WTF
2FA WTF
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 
2FA, OTP, WTF?
2FA, OTP, WTF?2FA, OTP, WTF?
2FA, OTP, WTF?
 

Recently uploaded

Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VDineshKumar4165
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwaitjaanualu31
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projectssmsksolar
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptDineshKumar4165
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksMagic Marks
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdfKamal Acharya
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTbhaskargani46
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityMorshed Ahmed Rahath
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfsmsksolar
 
Air Compressor reciprocating single stage
Air Compressor reciprocating single stageAir Compressor reciprocating single stage
Air Compressor reciprocating single stageAbc194748
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxSCMS School of Architecture
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfJiananWang21
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaOmar Fathy
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesChandrakantDivate1
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptNANDHAKUMARA10
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARKOUSTAV SARKAR
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdfKamal Acharya
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersMairaAshraf6
 

Recently uploaded (20)

Thermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - VThermal Engineering-R & A / C - unit - V
Thermal Engineering-R & A / C - unit - V
 
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills KuwaitKuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
Kuwait City MTP kit ((+919101817206)) Buy Abortion Pills Kuwait
 
2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects2016EF22_0 solar project report rooftop projects
2016EF22_0 solar project report rooftop projects
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Learn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic MarksLearn the concepts of Thermodynamics on Magic Marks
Learn the concepts of Thermodynamics on Magic Marks
 
Hostel management system project report..pdf
Hostel management system project report..pdfHostel management system project report..pdf
Hostel management system project report..pdf
 
Generative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPTGenerative AI or GenAI technology based PPT
Generative AI or GenAI technology based PPT
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Rums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdfRums floating Omkareshwar FSPV IM_16112021.pdf
Rums floating Omkareshwar FSPV IM_16112021.pdf
 
Air Compressor reciprocating single stage
Air Compressor reciprocating single stageAir Compressor reciprocating single stage
Air Compressor reciprocating single stage
 
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptxHOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
HOA1&2 - Module 3 - PREHISTORCI ARCHITECTURE OF KERALA.pptx
 
data_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdfdata_management_and _data_science_cheat_sheet.pdf
data_management_and _data_science_cheat_sheet.pdf
 
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
Call Girls in South Ex (delhi) call me [🔝9953056974🔝] escort service 24X7
 
Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Computer Networks Basics of Network Devices
Computer Networks Basics of Network DevicesComputer Networks Basics of Network Devices
Computer Networks Basics of Network Devices
 
Block diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.pptBlock diagram reduction techniques in control systems.ppt
Block diagram reduction techniques in control systems.ppt
 
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced LoadsFEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
FEA Based Level 3 Assessment of Deformed Tanks with Fluid Induced Loads
 
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKARHAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
HAND TOOLS USED AT ELECTRONICS WORK PRESENTED BY KOUSTAV SARKAR
 
Online electricity billing project report..pdf
Online electricity billing project report..pdfOnline electricity billing project report..pdf
Online electricity billing project report..pdf
 
Computer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to ComputersComputer Lecture 01.pptxIntroduction to Computers
Computer Lecture 01.pptxIntroduction to Computers
 

Identiverse 2020 - Account Recovery with 2FA

  • 1. KELLEY ROBINSON | TWILIO DESIGNING CUSTOMER ACCOUNT RECOVERY IN A 2FA WORLD
  • 2. © 2020 TWILIO INC. ALL RIGHTS RESERVED. 👋"🔐 Kelley Robinson @kelleyrobinson
  • 3. © 2019 TWILIO INC. ALL RIGHTS RESERVED. LIFE. HAPPENS.
  • 4. © 2019 TWILIO INC. ALL RIGHTS RESERVED. What is Account Recovery? • Replacing factors which lost access • Proving identity to gain access to an existing account
  • 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Account recovery is, in essence, a bypass of the main account security protocols, and therefore should be treated as an alternative authentication system. Mark Loveless | Decipher, 2018
  • 6. Average cost of a support call for account recovery:
 $40 - $70/call © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Best Practices: Selecting, Deploying, and Managing Enterprise Password Managers, Forrester Research 2018
  • 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTOR TRADEOFFS
  • 8. © 2019 TWILIO INC. ALL RIGHTS RESERVED. KNOWLEDGE Examples Passwords, security questions, account details Pros Common, easy to implement, easy to onboard Cons Answers can be leaked or researched, humans are forgetful
  • 9. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE Examples Fingerprint, voice recognition, keystroke analysis Pros Can't lose or forget, easy to use Cons Can't reset or replace
  • 10. © 2019 TWILIO INC. ALL RIGHTS RESERVED. POSSESSION Examples Mobile phone, backup codes, hardware tokens Pros Can use common devices, some are not phishable Cons Humans lose and replace things, harder to set up
  • 11. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  • 12. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🤔 Backup codes Example backup codes, real messaging Pros Not reused like passwords, usually hard to brute force Cons Easy to lose, no standard way to store https://medium.com/@alsmola/backup-codes-and-back-doors-12f20dc4829
  • 13. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOVERY EXAMPLES
  • 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://us.etrade.com/security-center/securityid E*Trade • Uses Symantec Security ID • Requires that you contact customer support to update the 2FA when you get a new phone • Limited authentication on the phone
  • 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Authy • Two factors required for account recovery • 1-4 day waiting period • Adaptive auth with stronger requirements depending on the lost factor
  • 16. © 2019 TWILIO INC. ALL RIGHTS RESERVED. GitHub • Recovery tokens at setup • Fallback options (SMS, Facebook "recover accounts elsewhere") • Access tokens, SSH Keys GitHub Support: Recovering your account if you lose your 2FA credentials Recover accounts elsewhere • Anecdotally: fork the account then after a 6 month waiting period, you can reclaim your dormant username
  • 17. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Facebook • Uses existing "friends" feature for trusted contact recovery Facebook Trusted Contacts
  • 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. RECOMMENDATIONS
  • 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Require users to register more factors than they need to log in
  • 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Design your recovery process based on the value your business is protecting ✅ Do
  • 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. "It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them." Cormac Herley | The Rational Rejection of Security Advice by Users (2016)
  • 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Be intentional about if and who you allow to reset 2FA Add guardrails for agents 😬 ✅ Do
  • 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about recovery options twitter.com ✅ Do
  • 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Remind users about 2FA before common phone change times i.e. holidays, new iPhone releases ✅ Do
  • 25. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Force users to complete one successful 2FA before enabling 2FA N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n https://isrl.byu.edu/pubs/sp2018.pdf ✅ Do
  • 26. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ✅ Do Add waiting periods for sensitive recoveries
  • 27. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Github Account Recovery
  • 28. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://exchange.gemini.com/signin/forgot
  • 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Only use one factor for account recovery
  • 30. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't Deactivate 2FA on account recovery
  • 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. ❌ Don't https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html Give up on 2FA