SlideShare a Scribd company logo
1 of 40
Download to read offline
2FA in 2020
...and Beyond!
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://twitter.com/troyhunt/status/1229550289620889601
h a v e i b e e n p w n e d . c o m
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
2FA in 2020 and Beyond
Kelley Robinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
COST OF ACCOUNT TAKEOVER (ATO)
Source: Javelin Strategy & Research, 2019
U.S.Dollars(Billions)
$1B
$2B
$3B
$4B
$5B
$6B
2011
2012
2013
2014
2015
2016
2017
2018
$4.0
$5.1
$2.3
$1.5
$3.9$3.9
$5.0
$3.1
ATO FRAUD COST
$4.0 BILLION IN 2018
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
i.e. face ID
POSSESSION
i.e. mobile phone
KNOWLEDGE
i.e. password
AUTHENTICATION FACTORS
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
INHERENCE
i.e. face ID
POSSESSION
i.e. mobile phone
KNOWLEDGE
i.e. password
AUTHENTICATION FACTORS
SMS One-time Passwords
✅ Easiest user onboarding
✅ Familiar
❌ SS7 attacks
❌ SIM swapping
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Your Owl Bank
verification code is: 7723
@kelleyrobinson
SMS One-time Passwords
Convenient but insecure
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Your Owl Bank
verification code is: 7723
@kelleyrobinson
Soft Tokens (TOTP)
🔸 Symmetric key crypto
✅ Available offline
✅ Open standard
❌ App install required
❌ Expiration UX
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Soft Tokens (TOTP)
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Pretty good option but
not perfect
Pre-generated Codes
✅ Easy to use
❌ Storage
❌ Doesn't "feel" secure
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
@kelleyrobinson
341BHOzg
7JbR2ku9
wiqNc7g0
6R20ClN5
B4CxTYs6
Pre-generated Codes
Option for backups, less
practical for ongoing use
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
@kelleyrobinson
341BHOzg
7JbR2ku9
wiqNc7g0
6R20ClN5
B4CxTYs6
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Push Authentication
✅ Action context
✅ Denial feedback
✅ Asymmetric key crypto
✅ ❌ Low friction
🔸 Proprietary
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Push Authentication
Convenient and secure, but
maybe too convenient?
@kelleyrobinson
U2F / WebAuthn
✅ Phishing resistant
✅ Asymmetric key crypto
✅ Open standard
❌ Distribution & cost
❌ New technology
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
@kelleyrobinson
U2F / WebAuthn
Secure but not always
convenient. Will become
more common.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
https://www.usenix.org/system/files/soups2019-reese.pdf
1. SMS
2. TOTP
3. Pre-generated codes
4. Push
5. U2F Security Keys
A USABILITY STUDY OF FIVE
TWO-FACTOR AUTH ENTICATION
METHODS (2019)
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
phone, while others said they would write down the codes and
keep them in a safe place. For timing data, we measured from
the time the participant began the task to the time the backup
codes were displayed on the screen. Even though we asked
participants how they would store the backup codes, we did
not include the time taken to store codes in the setup time for
backup codes since the time to store the codes varies widely
depending on the storage method chosen.
Push. Push notifications require that the phone is signed
in to the user’s Google account. The phone provided to par-
ticipants was already signed in, based on the assumption that
the typical Google user would already be signed in to their
Google account on their phone. When a phone is online, has
screen locking enabled, and is connected to the Google ac-
count, Google sends a push notification that can be approved
by unlocking the phone and tapping "Yes" on the notification.
U2F Security Key. We provided participants with a Yu-
biKey NEO. Google directed participants to insert the security
key into an open USB port, and then to tap the gold button on
the key. Before the device could be recognized, participants
were required to dismiss an alert from the browser asking for
permission to see the U2F device’s make and model. Whether
or not a user allows or denies this request, the U2F device is
registered and optionally given a name. Since this is optional,
we excluded the time taken to name the device.
TOTP 73.3 84.0 109.6 120.0
U2F 31.8 44.0 57.8 67.8
Figure 4: Setup time for five 2FA methods.
7.2 SEQ Scores
🏅 Pre-generated codes
had the fastest setup
Caveat - code storage not considered
for timing
FACTOR SETUP (GOOGLE)
https://www.usenix.org/system/files/soups2019-reese.pdf
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
😬 YubiKey
Setup success varied a lot based on platform
More people locked themselves out of their
computer than successfully set up YubiKey for
Windows Logon Authorization Tool
74% requested better documentation
N=31 %
Google
Success 26 83%
Correctly identified completion 22 70%
Failure 5 16%
Facebook
Success 10 32%
Correctly identified completion 6 19%
Failure 21 67%
Registered YubiKey without enabling 2FA 12 38%
Windows 10
Success 12 38%
Set up the Windows Logon Authorization Tool 5 16%
Set up YubiKey for Windows Hello 7 22%
Failure 19 61%
Failed to set up the Windows Logon Authorization Tool 9 29%
Failed to set up YubiKey for Windows Hello 5 16%
Locked out of the computer 6 19%
TABLE I
LABORATORY STUDY SUCCESS RATES
F
k
th
t
l
r
a
t
p
t
n
FACTOR SETUP (CROSS - PLATFOR M)
https://isrl.byu.edu/pubs/sp2018.pdf
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Push 0.029 -0.204 113 (-0.374, -0.020)
U2F <0.003 -0.269 118 (-0.429, -0.093)
Codes 0.426 -0.076 110 (-0.260, 0.113)
understand their background and feelings about online secu-
rity. With the consent of each participant, we recorded the
audio of each interview. Two coders listened to the record-
ings and coded each interview, discussing each response until
reaching agreement. Common themes identified from the
recordings are discussed in section 5.2.
4.8 Compensation
Participants were compensated a maximum of 25 USD after
their participation in the study according to a tiered compen-
sation structure based on the total number of tasks completed
through the banking interface.
5 Two-week Study Results
5.1 Quantitative Results
5.1.1 Timing Data
We measured both the time for the password login and the time
Figure 2: Time to authenticate for five 2FA methods
🏅 U2F & Push
Had the fastest median authentication times
Compared to SMS [Duo research]:
• Push saves a user 13 minutes annually
• U2F saves a user 18.2 minutes annually
FACTOR USA BI L I TY (GOOGLE)
https://www.usenix.org/system/files/soups2019-reese.pdf
Duo 2019 State of the Auth Report
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
🏅 TOTP
scored the highest System Usability
Scale (SUS) score for a 2nd factor
Figure 3: SUS scores for five 2FA methods.
FACTOR USA BI L I TY (GOOGLE)
@kelleyrobinson
https://www.usenix.org/system/files/soups2019-reese.pdf
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
📉 U2F & Push
"Faster authentication does not
necessarily mean higher usability"
FACTOR USA BI L I TY (GOOGLE)
@kelleyrobinson
https://www.usenix.org/system/files/soups2019-reese.pdf Figure 3: SUS scores for five 2FA methods.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
SMS 2FA is still
better than no 2FA
100%
AUTOMATED
BOTS
96%
BULK PHISHING
ATTACKS
76%
TARGETED
ATTACKS
SMS 2FA
2019 Google study found SMS 2FA effectively blocks:
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
@kelleyrobinson
100%
AUTOMATED
BOTS
99%
BULK PHISHING
ATTACKS
90%
TARGETED
ATTACKS
PUSH AUTHENTICATION
2019 Google study found Push 2FA effectively blocks:
https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html
@kelleyrobinson
2FA ADOPTION
@kelleyrobinson
2FA ADOPTION
2019 BYU study found:
https://www.usenix.org/system/files/soups2019-reese.pdf
BELIEVE EXTRA SECURITY
WORTH ADDITIONAL TIME
OR INCONVENIENCE
WILLING TO USE 2FA
DEPENDING ON THE
ACCOUNT
UNWILLING TO USE 2FA
BECAUSE INCONVENIENCE
TOO HIGH
@kelleyrobinson
29% 36% 13%
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Perceived value of 2FA
“ I just don’t think I have anything that
people would want to take from me,
so I think that’s why I haven’t been
very worried about it.
”
Research participant | A Usability Study of Five Two-Factor Authentication Methods
@kelleyrobinson
2FA A DOP TION (2017 VS . 2019)
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
0%
25%
50%
75%
100%
Heard of 2FA Used 2FA
53%
77%
28%
44%
Source: Duo 2019 State of the Auth Report
2017
2017
2019
2019
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
How to drive adoption of MFA
100%0%
profile
settings
login
prompt
product
incentives
required
@kelleyrobinson
really annoying
& persistent
login prompt
2FA GOOGLE SEARCH I NTER EST OVER TIME (US)
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
2014 2015 2016 2017 2018 2019 2020
@kelleyrobinson
Source: Google Trends
2014 2015 2016 2017 2018 2019 2020
2FA GOOGLE SEARCH I NTER EST OVER TIME (US)
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
Source: Google Trends
TechCrunch: Epic Games 2FA
@kelleyrobinson
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
MEASURING SUCCESS
😈 Number of compromised accounts ⬇
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
ℹ Support costs relative to losses ⬇
💰 Losses due to account takeover ⬇
😃 User satisfaction ⬆
MEASURING SUCCESS
Delight your most security conscious users.

Provide options for the rest.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
“When we exaggerate all
dangers we simply train
users to ignore us.”
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
@kelleyrobinson
@kelleyrobinson
THANK YOU
© 2019 TWILIO INC. ALL RIGHTS RESERVED.
References
A usability study of five two-factor authentication methods
A Tale of Two Studies: The Best and Worst of YubiKey Usability
Javelin Strategy & Research, 2019
Duo 2019 State of the Auth Report
New research: How effective is basic account hygiene at preventing hijacking
Google Trends: 2FA (US)
TechCrunch: Epic Games 2FA

More Related Content

More from Kelley Robinson

Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIRKelley Robinson
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala CommunityKelley Robinson
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationKelley Robinson
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ StartupsKelley Robinson
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center AuthenticationKelley Robinson
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMSKelley Robinson
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationKelley Robinson
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical CryptographyKelley Robinson
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaKelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaKelley Robinson
 
Forget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for ScalaForget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for ScalaKelley Robinson
 

More from Kelley Robinson (20)

Introduction to SHAKEN/STIR
Introduction to SHAKEN/STIRIntroduction to SHAKEN/STIR
Introduction to SHAKEN/STIR
 
Intro to SHAKEN/STIR
Intro to SHAKEN/STIRIntro to SHAKEN/STIR
Intro to SHAKEN/STIR
 
PSD2, SCA, WTF?
PSD2, SCA, WTF?PSD2, SCA, WTF?
PSD2, SCA, WTF?
 
Building a Better Scala Community
Building a Better Scala CommunityBuilding a Better Scala Community
Building a Better Scala Community
 
BSides SF - Contact Center Authentication
BSides SF - Contact Center AuthenticationBSides SF - Contact Center Authentication
BSides SF - Contact Center Authentication
 
Communication @ Startups
Communication @ StartupsCommunication @ Startups
Communication @ Startups
 
Contact Center Authentication
Contact Center AuthenticationContact Center Authentication
Contact Center Authentication
 
Authentication Beyond SMS
Authentication Beyond SMSAuthentication Beyond SMS
Authentication Beyond SMS
 
BSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling AuthenticationBSides PDX - Threat Modeling Authentication
BSides PDX - Threat Modeling Authentication
 
SIGNAL - Practical Cryptography
SIGNAL - Practical CryptographySIGNAL - Practical Cryptography
SIGNAL - Practical Cryptography
 
2FA Best Practices
2FA Best Practices2FA Best Practices
2FA Best Practices
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
2FA, WTF!?
2FA, WTF!?2FA, WTF!?
2FA, WTF!?
 
2FA WTF
2FA WTF2FA WTF
2FA WTF
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 
Practical Cryptography
Practical CryptographyPractical Cryptography
Practical Cryptography
 
Analyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and ScalaAnalyzing Pwned Passwords with Spark and Scala
Analyzing Pwned Passwords with Spark and Scala
 
2FA, OTP, WTF?
2FA, OTP, WTF?2FA, OTP, WTF?
2FA, OTP, WTF?
 
Forget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for ScalaForget what you think you know: Redefining functional programming for Scala
Forget what you think you know: Redefining functional programming for Scala
 

Recently uploaded

Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackinghadarpinhas1
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Communityprachaibot
 
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliStructural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliNimot Muili
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxStephen Sitton
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...KrishnaveniKrishnara1
 
input buffering in lexical analysis in CD
input buffering in lexical analysis in CDinput buffering in lexical analysis in CD
input buffering in lexical analysis in CDHeadOfDepartmentComp1
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Amil baba
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSneha Padhiar
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical trainingGladiatorsKasper
 
Introduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxIntroduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxPoonam60376
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.elesangwon
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProRay Yuan Liu
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfBalamuruganV28
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHSneha Padhiar
 
10 AsymmetricKey Cryptography students.pptx
10 AsymmetricKey Cryptography students.pptx10 AsymmetricKey Cryptography students.pptx
10 AsymmetricKey Cryptography students.pptxAdityaGoogle
 
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Amil baba
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxLina Kadam
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdfsahilsajad201
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Sumanth A
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfalene1
 

Recently uploaded (20)

Detection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and trackingDetection&Tracking - Thermal imaging object detection and tracking
Detection&Tracking - Thermal imaging object detection and tracking
 
Prach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism CommunityPrach: A Feature-Rich Platform Empowering the Autism Community
Prach: A Feature-Rich Platform Empowering the Autism Community
 
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot MuiliStructural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
Structural Integrity Assessment Standards in Nigeria by Engr Nimot Muili
 
Turn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptxTurn leadership mistakes into a better future.pptx
Turn leadership mistakes into a better future.pptx
 
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
22CYT12 & Chemistry for Computer Systems_Unit-II-Corrosion & its Control Meth...
 
input buffering in lexical analysis in CD
input buffering in lexical analysis in CDinput buffering in lexical analysis in CD
input buffering in lexical analysis in CD
 
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
Uk-NO1 Black Magic Specialist In Lahore Black magic In Pakistan Kala Ilam Exp...
 
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATIONSOFTWARE ESTIMATION COCOMO AND FP CALCULATION
SOFTWARE ESTIMATION COCOMO AND FP CALCULATION
 
70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training70 POWER PLANT IAE V2500 technical training
70 POWER PLANT IAE V2500 technical training
 
Introduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptxIntroduction of Object Oriented Programming Language using Java. .pptx
Introduction of Object Oriented Programming Language using Java. .pptx
 
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
2022 AWS DNA Hackathon 장애 대응 솔루션 jarvis.
 
A brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision ProA brief look at visionOS - How to develop app on Apple's Vision Pro
A brief look at visionOS - How to develop app on Apple's Vision Pro
 
CS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdfCS 3251 Programming in c all unit notes pdf
CS 3251 Programming in c all unit notes pdf
 
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACHTEST CASE GENERATION GENERATION BLOCK BOX APPROACH
TEST CASE GENERATION GENERATION BLOCK BOX APPROACH
 
10 AsymmetricKey Cryptography students.pptx
10 AsymmetricKey Cryptography students.pptx10 AsymmetricKey Cryptography students.pptx
10 AsymmetricKey Cryptography students.pptx
 
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
Uk-NO1 kala jadu karne wale ka contact number kala jadu karne wale baba kala ...
 
AntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptxAntColonyOptimizationManetNetworkAODV.pptx
AntColonyOptimizationManetNetworkAODV.pptx
 
Robotics Group 10 (Control Schemes) cse.pdf
Robotics Group 10  (Control Schemes) cse.pdfRobotics Group 10  (Control Schemes) cse.pdf
Robotics Group 10 (Control Schemes) cse.pdf
 
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
Robotics-Asimov's Laws, Mechanical Subsystems, Robot Kinematics, Robot Dynami...
 
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdfComprehensive energy systems.pdf Comprehensive energy systems.pdf
Comprehensive energy systems.pdf Comprehensive energy systems.pdf
 

2FA in 2020 and Beyond

  • 1. 2FA in 2020 ...and Beyond! @kelleyrobinson © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 2. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://twitter.com/troyhunt/status/1229550289620889601
  • 3. h a v e i b e e n p w n e d . c o m
  • 4. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 2FA in 2020 and Beyond Kelley Robinson
  • 5. © 2019 TWILIO INC. ALL RIGHTS RESERVED. COST OF ACCOUNT TAKEOVER (ATO) Source: Javelin Strategy & Research, 2019 U.S.Dollars(Billions) $1B $2B $3B $4B $5B $6B 2011 2012 2013 2014 2015 2016 2017 2018 $4.0 $5.1 $2.3 $1.5 $3.9$3.9 $5.0 $3.1 ATO FRAUD COST $4.0 BILLION IN 2018
  • 6. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTORS
  • 7. © 2019 TWILIO INC. ALL RIGHTS RESERVED. INHERENCE i.e. face ID POSSESSION i.e. mobile phone KNOWLEDGE i.e. password AUTHENTICATION FACTORS
  • 8. SMS One-time Passwords ✅ Easiest user onboarding ✅ Familiar ❌ SS7 attacks ❌ SIM swapping © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723 @kelleyrobinson
  • 9. SMS One-time Passwords Convenient but insecure © 2019 TWILIO INC. ALL RIGHTS RESERVED. Your Owl Bank verification code is: 7723 @kelleyrobinson
  • 10. Soft Tokens (TOTP) 🔸 Symmetric key crypto ✅ Available offline ✅ Open standard ❌ App install required ❌ Expiration UX © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 11. Soft Tokens (TOTP) © 2019 TWILIO INC. ALL RIGHTS RESERVED. Pretty good option but not perfect
  • 12. Pre-generated Codes ✅ Easy to use ❌ Storage ❌ Doesn't "feel" secure © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson 341BHOzg 7JbR2ku9 wiqNc7g0 6R20ClN5 B4CxTYs6
  • 13. Pre-generated Codes Option for backups, less practical for ongoing use © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson 341BHOzg 7JbR2ku9 wiqNc7g0 6R20ClN5 B4CxTYs6
  • 14. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication ✅ Action context ✅ Denial feedback ✅ Asymmetric key crypto ✅ ❌ Low friction 🔸 Proprietary @kelleyrobinson
  • 15. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push Authentication Convenient and secure, but maybe too convenient? @kelleyrobinson
  • 16. U2F / WebAuthn ✅ Phishing resistant ✅ Asymmetric key crypto ✅ Open standard ❌ Distribution & cost ❌ New technology © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  • 17. U2F / WebAuthn Secure but not always convenient. Will become more common. © 2019 TWILIO INC. ALL RIGHTS RESERVED. @kelleyrobinson
  • 18. © 2019 TWILIO INC. ALL RIGHTS RESERVED. https://www.usenix.org/system/files/soups2019-reese.pdf 1. SMS 2. TOTP 3. Pre-generated codes 4. Push 5. U2F Security Keys A USABILITY STUDY OF FIVE TWO-FACTOR AUTH ENTICATION METHODS (2019) @kelleyrobinson
  • 19. © 2019 TWILIO INC. ALL RIGHTS RESERVED. phone, while others said they would write down the codes and keep them in a safe place. For timing data, we measured from the time the participant began the task to the time the backup codes were displayed on the screen. Even though we asked participants how they would store the backup codes, we did not include the time taken to store codes in the setup time for backup codes since the time to store the codes varies widely depending on the storage method chosen. Push. Push notifications require that the phone is signed in to the user’s Google account. The phone provided to par- ticipants was already signed in, based on the assumption that the typical Google user would already be signed in to their Google account on their phone. When a phone is online, has screen locking enabled, and is connected to the Google ac- count, Google sends a push notification that can be approved by unlocking the phone and tapping "Yes" on the notification. U2F Security Key. We provided participants with a Yu- biKey NEO. Google directed participants to insert the security key into an open USB port, and then to tap the gold button on the key. Before the device could be recognized, participants were required to dismiss an alert from the browser asking for permission to see the U2F device’s make and model. Whether or not a user allows or denies this request, the U2F device is registered and optionally given a name. Since this is optional, we excluded the time taken to name the device. TOTP 73.3 84.0 109.6 120.0 U2F 31.8 44.0 57.8 67.8 Figure 4: Setup time for five 2FA methods. 7.2 SEQ Scores 🏅 Pre-generated codes had the fastest setup Caveat - code storage not considered for timing FACTOR SETUP (GOOGLE) https://www.usenix.org/system/files/soups2019-reese.pdf @kelleyrobinson
  • 20. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 😬 YubiKey Setup success varied a lot based on platform More people locked themselves out of their computer than successfully set up YubiKey for Windows Logon Authorization Tool 74% requested better documentation N=31 % Google Success 26 83% Correctly identified completion 22 70% Failure 5 16% Facebook Success 10 32% Correctly identified completion 6 19% Failure 21 67% Registered YubiKey without enabling 2FA 12 38% Windows 10 Success 12 38% Set up the Windows Logon Authorization Tool 5 16% Set up YubiKey for Windows Hello 7 22% Failure 19 61% Failed to set up the Windows Logon Authorization Tool 9 29% Failed to set up YubiKey for Windows Hello 5 16% Locked out of the computer 6 19% TABLE I LABORATORY STUDY SUCCESS RATES F k th t l r a t p t n FACTOR SETUP (CROSS - PLATFOR M) https://isrl.byu.edu/pubs/sp2018.pdf
  • 21. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Push 0.029 -0.204 113 (-0.374, -0.020) U2F <0.003 -0.269 118 (-0.429, -0.093) Codes 0.426 -0.076 110 (-0.260, 0.113) understand their background and feelings about online secu- rity. With the consent of each participant, we recorded the audio of each interview. Two coders listened to the record- ings and coded each interview, discussing each response until reaching agreement. Common themes identified from the recordings are discussed in section 5.2. 4.8 Compensation Participants were compensated a maximum of 25 USD after their participation in the study according to a tiered compen- sation structure based on the total number of tasks completed through the banking interface. 5 Two-week Study Results 5.1 Quantitative Results 5.1.1 Timing Data We measured both the time for the password login and the time Figure 2: Time to authenticate for five 2FA methods 🏅 U2F & Push Had the fastest median authentication times Compared to SMS [Duo research]: • Push saves a user 13 minutes annually • U2F saves a user 18.2 minutes annually FACTOR USA BI L I TY (GOOGLE) https://www.usenix.org/system/files/soups2019-reese.pdf Duo 2019 State of the Auth Report
  • 22. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 🏅 TOTP scored the highest System Usability Scale (SUS) score for a 2nd factor Figure 3: SUS scores for five 2FA methods. FACTOR USA BI L I TY (GOOGLE) @kelleyrobinson https://www.usenix.org/system/files/soups2019-reese.pdf
  • 23. © 2019 TWILIO INC. ALL RIGHTS RESERVED. 📉 U2F & Push "Faster authentication does not necessarily mean higher usability" FACTOR USA BI L I TY (GOOGLE) @kelleyrobinson https://www.usenix.org/system/files/soups2019-reese.pdf Figure 3: SUS scores for five 2FA methods.
  • 24. © 2019 TWILIO INC. ALL RIGHTS RESERVED. SMS 2FA is still better than no 2FA
  • 25. 100% AUTOMATED BOTS 96% BULK PHISHING ATTACKS 76% TARGETED ATTACKS SMS 2FA 2019 Google study found SMS 2FA effectively blocks: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html @kelleyrobinson
  • 26. 100% AUTOMATED BOTS 99% BULK PHISHING ATTACKS 90% TARGETED ATTACKS PUSH AUTHENTICATION 2019 Google study found Push 2FA effectively blocks: https://security.googleblog.com/2019/05/new-research-how-effective-is-basic.html @kelleyrobinson
  • 28. 2FA ADOPTION 2019 BYU study found: https://www.usenix.org/system/files/soups2019-reese.pdf BELIEVE EXTRA SECURITY WORTH ADDITIONAL TIME OR INCONVENIENCE WILLING TO USE 2FA DEPENDING ON THE ACCOUNT UNWILLING TO USE 2FA BECAUSE INCONVENIENCE TOO HIGH @kelleyrobinson 29% 36% 13%
  • 29. © 2019 TWILIO INC. ALL RIGHTS RESERVED. Perceived value of 2FA “ I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it. ” Research participant | A Usability Study of Five Two-Factor Authentication Methods @kelleyrobinson
  • 30. 2FA A DOP TION (2017 VS . 2019) © 2019 TWILIO INC. ALL RIGHTS RESERVED. 0% 25% 50% 75% 100% Heard of 2FA Used 2FA 53% 77% 28% 44% Source: Duo 2019 State of the Auth Report 2017 2017 2019 2019 @kelleyrobinson
  • 31. © 2019 TWILIO INC. ALL RIGHTS RESERVED. How to drive adoption of MFA 100%0% profile settings login prompt product incentives required @kelleyrobinson really annoying & persistent login prompt
  • 32. 2FA GOOGLE SEARCH I NTER EST OVER TIME (US) © 2019 TWILIO INC. ALL RIGHTS RESERVED. 2014 2015 2016 2017 2018 2019 2020 @kelleyrobinson Source: Google Trends
  • 33. 2014 2015 2016 2017 2018 2019 2020 2FA GOOGLE SEARCH I NTER EST OVER TIME (US) © 2019 TWILIO INC. ALL RIGHTS RESERVED. Source: Google Trends TechCrunch: Epic Games 2FA @kelleyrobinson
  • 34. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 36. 😈 Number of compromised accounts ⬇ © 2019 TWILIO INC. ALL RIGHTS RESERVED. ℹ Support costs relative to losses ⬇ 💰 Losses due to account takeover ⬇ 😃 User satisfaction ⬆ MEASURING SUCCESS
  • 37. Delight your most security conscious users.
 Provide options for the rest. © 2019 TWILIO INC. ALL RIGHTS RESERVED.
  • 38. © 2019 TWILIO INC. ALL RIGHTS RESERVED. “When we exaggerate all dangers we simply train users to ignore us.” Cormac Herley, The Rational Rejection of Security Advice by Users (2009) @kelleyrobinson
  • 40. © 2019 TWILIO INC. ALL RIGHTS RESERVED. References A usability study of five two-factor authentication methods A Tale of Two Studies: The Best and Worst of YubiKey Usability Javelin Strategy & Research, 2019 Duo 2019 State of the Auth Report New research: How effective is basic account hygiene at preventing hijacking Google Trends: 2FA (US) TechCrunch: Epic Games 2FA