2FA in 2020 and Beyond

today we have a really great talk on two-factor authentication by Kelly Robinson she works in the account security team at Twilio helping developers manage and secure customer identity in their software applications please give her your respect and attention throughout her whole talk awesome thank you thank you all for joining apparently there was a mild projector issue earlier so we're here now I'm gonna go a little bit over my time a little bit after three just so you know what to expect so I've been thinking about this a lot in this last week this was something that the security researcher Troy hunt tweeted last week for those of you that might not be familiar with Troy he is the

researcher behind the website have I been on comm who here uses that website for those of you that did not raise your hand definitely recommend checking this out later it's a service that compiles data breach information and lets you know if your email address or password has been seen in a data breach but I think this is a really interesting take because in 2020 the reality is we're so owned right now that we expect legitimate email addresses to have been seen in a data breach right we expect that you would have gotten owned at some point I know I certainly have I'm guessing if you're not lying most of you also have as well and that's not your

fault right like it's a scary world out there and while this isn't a talked about data storage security you know there's still a lot of unsecure password usage out there and Troy hunts project proves that as much as we'd like to believe otherwise simple passwords like one two three four five six are still being used a lot that password has been seen over 23 million times in data breaches and it's still incredibly common so this is what we're here to discuss today this reality where we're so owns that passwords are no longer enough how two-factor authentication or 2fa can help us stay more secure and help keep our companies and our customers more secure and how we can evaluate all the

different options available for 2fa so my name is Kelly Robinson work at Twilio if you haven't come say hi at our booth please do after this if you are familiar with off the air all the users toward the 2fa app Tulio acquired authy five years ago and I work on the part of the business that includes offi our account security team so I work on our API square things like phone and e-mail verification and two-factor authentication and I also spend a good amount of my time educating developers about security and especially identity and authentication concepts and so this talk is going to incorporate a lot of the things I have learned in the last two-and-a-half years working there

and working with our customers on their authentication challenges in the failure of good authentication often results in account takeover and according to javelin study and research from 2019 this is a four billion dollar industry problem and so this is why people are incentivized by the industries and sent advice to solve this because this is costing businesses a lot of money it's costing people a lot of pain to have their account being broken into so there's a lot of incentives to fix this problem and one of the ways that we have classically authenticated people into our systems is with these different types of factors primarily we're using knowledge factor to prove your identity and so this is the authentication factor

that is something that you know like a password but in order to keep us more secure we want to start adding additional factors anything that uses two or more of these different factors is what's known as two-factor authentication and so you in addition to the knowledge factor also have the possession factor which is something you have like a mobile phone or a security key and the inherence factor which is like biometric data like face ID because we're focusing on the second factor all the things that we're going to talk about today have to do with this possession factor and that's just because these are some of the most common types of 2fa available right now

that we're going to be focusing on this so let's talk about the different factors that we have available and talk about some of the benefits and downsides to these different factors starting with everyone's favorite sms-based one-time passwords and so one of the reasons that people like this factor is because it's easy to onboard your customers according to a recent Pew study 99 percent of Americans have a mobile phone capable of receiving text messages and that's huge this makes companies want to add this channel because it's really easy to onboard your users you don't have to make them do anything special they already are capable and familiar with receiving these one-time codes via SMS this is a factor that's been around

for over a decade and it's become so popular that people are familiar with this factor and are willing to use it however this is not a secure delivery mechanism for one-time pass codes it's subject to man-in-the-middle attacks people can get access to the codes that are being sent to you because SMS is not an encrypted Channel and there are ways that people can get access to those messages one way that they can do that is through ss7 vulnerabilities ss7 is the signaling system 7 and to condense an explanation of the vulnerability there it basically is a vulnerability in the inter carrier telecom switching that allows people to impersonate a carrier in order to get your messages routed to

them and so if I'm roaming a carrier in another country or a someone impersonating a carrier in another country can say hey Kelly's actually in Colombia right now why don't you send our messages to us and that allows them to get access to my text messages but arguably the more common thing that we're seeing right now is what's known as sim swapping and this is when people use social engineering or perhaps bribery of telecom agents to get access to my SIM cards so if you want to call up Verizon and tell them hey I'm Kelly and I would like you to send a new SIM card to this address or you go into a store and bribe an agent

or successfully impersonate me in person then you can get access to my text messages that way and all of a sudden I'm cut off from everything that's being sent to my number so SMS is a super convenient option but it's not very secure another method that we have available is what's known as soft tokens or TOTP which stands for time-based one-time pass codes these are a way to generate tokens based on an algorithm the inputs to that algorithm are a secret key a shared symmetric secret key and the system time and those get put through a one-way function that pops out a truncated token symmetric key cryptography offers increased security compared to SMS but if someone gets

access to that shared secret then the method is easily compromised at a previous job we had two FA turned on for some of these shared engineering accounts but we shared the QR code in the engineering slack channels so that when new people join the team they could scan that and get a totp on their phone this is not a horrible situation but this is an example of how this type of factor could get compromised because it's not device specific it's not person specific and so there is the ability for these types of secrets to be leaked but it offers some distinct advantages because it's an algorithm that basically uses simple math and the inputs are not

do not require an internet connection this is available offline and it's also an open standard so while this does require you to download an app there's multiple apps that have implemented this standard so anywhere that you see Google Authenticator like scan it with Google Authenticator you can scan that with you oh you can scan that with aathi you can scan that with the totp app of your choice unfortunately this does require the app download and in a recent study of token usability they found that two-thirds of participants who had issues who use TOTP had issues entering touken before it expired and so there might be some concerns about the usability there because of the expiration user experience so this is a

pretty good option but it's not perfect but we see a lot of security conscious companies moving and adding to UTP as an option in order to delight their more security conscious users another thing that I want to mention because this is used in a study that I'm going to reference later is the idea of pre-generated codes and so this is something that a website would generate a set of usually backup tokens for you and you would store those somewhere up to you and then you can use those in replacement of your 2f8 methods so this is easy to use however if anybody has ever implemented backup tokens or worked at a company that had backup tokens you

know that your users never store these you know they don't remember where they stored them or if they email them to you themselves or if they ever noticed that this was an option that they could store the backup tokens to begin with so this is a challenging thing because there isn't a standard way to give users to store the backup tokens and 25% of users in the study that I mentioned said that when they use the backup token it didn't really feel like added security on top of just a password so this is an option for backups we'll debate later if it's a good option for backups but it's less practical for ongoing use push

authentication is another channel for two-factor authentication that we're seeing more popularized in recent years because of duo Authenticator and so users like this because it's so low friction you can approve or deny a login request from your Apple watcher from your phone and it also uses a symmetric key cryptography which uses two tokens one of which the private key is only stored on your device so it's device specific it's user specific it doesn't have the same shared secret leaking potential that totp has you don't have to worry about that secret leaking like you might with totp and this is the only form of 2fa that really offers a denial feedback eight so the other ones if you don't

recognize that message there's nothing that you can do about the fact that you're getting this request for two - fi login however we've pushed authentication you can build in actions based on denial based on the fact that you might think somebody's trying to compromise an account unfortunately this is so low friction that one of the common arguments against push authentication is that people see it as too easy to accidentally approve a request so in the middle of the night if somebody is trying to fish you you might accidentally approve that request without meaning to just to make your phone stop buzzing I haven't found any research about how common that actually is but that is something that people

note as a concern with push authentication but one of the notable downsides to push is that it does require a special proprietary app that could be built into your application and if you are a mobile first company or a company with a lot of mobile users we've seen Google start to do this with any of the google apps they use it as they push Authenticator to approve login requests from other devices but you might also use something like duo or like coffee in order to approve those requests and this does require that somebody have an application of any kind on their phone and users aren't always willing to download another app so it seems great

it's cryptographically secure but it might be too convenient and there is the downside of getting people to download the additional application this also will require some additional dev work that might be slightly more complicated than the adding of 2fa via SMS or TOTP finally I want to talk about u2f Universal second factors and web often web off then is part of the new Fido - spec that is including a path towards a password list future we're not talking about these as a password replacement right now we're talking about these as password augmentation as the second factor - and so I combined these to basically talk about things like security keys like the tightened keys that Google's giving away and these are

great because they're fishing resistant you don't have the ability to get those man-in-the-middle attacks it uses a symmetric key cryptography so it's tied both to these specific and to the device that you are using and authenticating from but it's also an open standard like totp which means that a lot of people can go and implement the spec and add an Authenticator that is compatible with web off then the biggest drawbacks right now is that this is kind of a new thing not everybody has implemented web offense aport yet though it's becoming I think pretty standard across most major browsers however one of the biggest implementations right of this right now are things like you bikies and like

google tighten keys and it's not super reasonable for to expect that everyone will have access to one of those unless you are at peace sides and getting a free one from google these things cost about 50 bucks you have to actually order one and so these are things that you might want to consider if you're thinking about getting these for supporting this for especially things like a consumer use case as more devices that we already have like our phones become supported authenticators and there's a lot of phones like I think the iOS or iPhones just added support for this in like the last three months but it's not as common right now and as devices that we already have start to

adopt the standard we'll see this become more common and we'll also see this become more common in places like in ancient companies and enterprise environments where you have used this for employee authentication because you have something like an IT department that can hand you a physical token during your onboarding and you have an IT department that can handle the account recovery use case because they have details about who you are in the employment system one of the drawbacks of using Hardware security keys like this is that when you lose one you might have a really hard time getting back into your account depending on how the site has set it up to do the account

recovery so what I wanted to do was back up some of this more qualitative data with actual research and there was this great study from 2019 that was presented at the symposium unusable privacy and security Supes great name for a conference so this was presented last August and study focused on setting up and using these five factors that I just walked through this is definitely a really interesting study I've linked this in the reefs and the references for this talk I'll post the slides after if you want to read through the entire study there's also a talk that they gave at Supes where they kind of summarize their research on this let's talk about how to set up these

different authentication tokens kind of surprisingly the pre generated codes were what they found were the fastest to set up and that's because they did this for google and google has a one-click button that says generate some codes for me unfortunately the study didn't really take into account how the users would store these tokens long-term and that wasn't part of the overall setup and usability considerations for measuring the usage of these tokens so code storage was not considered and like I mentioned before 25% of the participants in the study so these pre generated codes didn't really feel like any added security in a different study from 2018 focus just on you bikies but for cross-platform setup

I think this was really interesting because the set up success was really different depending on the platform so Google had 83 percent success while Facebook had 32 percent success and 2018 is like forever ago in terms of yuba keys and hardware security tokens a lot has changed since then but I think this is a really interesting look at how onboarding users can affect their success in using a single type of Authenticator so one of the things that was really great about the Google set up was that they walked you through it step-by-step and made sure that users had success at every step along the way and that's why there was much more success there the documentation for

setting it up with Facebook was more lacking and so people were relying on a combination of documentation from the Yubikey website and from Facebook itself so this is a really interesting look at how onboarding UX of impacts user success because you want to keep in mind that you have to have successful logins with these extra factors before you allow people to actually turn it on and so people were adding up locking themselves out of Windows 10 computers because the Windows 10 computers didn't actually force them to use and to complete a successful authentication before they enabled the second factor so moving on to usability one measure of usability was the overall time that it took to authenticate and unsurprisingly

universal second factors in push authentication which require a single tap were the fastest methods they have the fastest meeting and authentication times and especially when it comes to compared to SMS some do a research from 2019 sound that push save the user 13 minutes annually while u2f say is a user up to 18 minutes annually and so this is going to save people time in the long run if that's one thing that you want to consider in terms of keeping your users happy with authentication a lot of people are concerned about adding 2fa because they think it slows down the signups slows down the login process and there's proof here that there's faster methods of authentication available but

another measure of usability was this idea of a system usability score or system usability scale and SQS or sauce is a common measure used by researchers who measure people's opinions on the usability of these different factors and so despite the fact that a lot of people couldn't enter TOTP codes in this study on their first try people actually liked TOTP the best and I thought that was really interesting finding here and that's for the second factor is you might notice that they actually like just passwords they like passwords without any - okay the most but that's not really what we're concerned about for a second factor TOTP was a most successful but the usability scores for

all of them were actually kind of high which I think it's promising people are willing to use 2fa when they see it working for them however we mentioned the time to authenticate using some of these factors there's somewhat of an inverse relationship here with how people felt about the factors versus how fast they were so pushing u2f were actually some of the lowest scored soft scores even though they were the fastest to authenticate and so the researchers observed that faster authentication doesn't necessarily mean higher usability so there are a lot of trade-offs here and a lot of levels of security and these options but I think it's important to note that sms-based 2fa is still

better than no 2fa at all this is really easy for me to say I work at a company that does this right there's more research on this to back me up so in 2019 Google did this study that said that SMS 2fa effectively blocks a hundred percent of automated BOTS 96% of bulk phishing attacks and 76% of targeted attacks and so this is a really good way of measuring the effectiveness of adding this on top of just user name and password and even though targeted attacks still have a attack factor available to them that's one thing that we can consider but it's still better than nothing at all even for companies like Queen based a mandate to FA for

their users they still support SMS face to sa because they know that it's better than not supporting anything at all or not or allowing their users to get by without 2ff but when you start looking at push authentication there is increased protection so it increases the bulk phishing attempt attacks to 99 percent and a protection of targeted attacks to 90 percent you have different options for your to FA but you also need to get your users to enable it for at the added security and so adoption of optional to FA is something that's historically been abysmal I read some research that said that Dropbox quoted that something like 1% of their users have turned on to FA F

or Dropbox and there's a few reasons behind the adoption for this the BYU study that I've been mentioning found that people were willing to add to FA if they saw the value in the account but there was still 13% of the participants that just thought the inconvenience was too high and so I think that we need to educate users about the importance of security here but also make it easy for them to turn it on and make the options for available to them to enable this seamless enough that they're going to see the value and going to make sure that they enable this at their convenience because a lot of people just believe that they're not a target you

know this is from another research participant they said I just don't think I have anything people would want to take from me and so that's why I haven't been that it's concerned about it and this might be true for some accounts but depending on what your company is protecting this is something that you want to consider of educating people about why they need to turn on to FA and what they are protecting and how to incentivize them to do it all hope is not lost awareness and adoptions almost doubled in the last two years and so this is trim to do a research from last year people that have heard of to FA has increased to 77

percent out of 2019 and people who have used to FAI has increased to 53 percent in 2019 in one minute and websites are getting more savvy about how they're getting people to turn on to FA there's some options that you have available for this so product incentives is one method for this does anybody know what the spike in 2018 is their fortnight so fortnight started off incentivizing people to turn on to FA and it's really funny because even almost two years later three of the top 5 s related search queries to 2 FA according to Google Trends have to do with for tonight epic games of su bones for tonight they aren't the only ones offering incentives

MailChimp offers a 10% discount for users that turn on to FA as well so there's things that you want to consider here but you also need to measure your success and the one thing that I want to point out here is that you want to make sure that your losses due to account takeovers are going down but you also want to make sure that your support costs relative to those losses are also going down and that could mean that your support costs are increasing but that's a calculated decision that you want to make in order to support the added security for your customers so there's no one-size-fits-all solution here but the advice that I end up giving

most folks get boils down to this you want to delight your most security-conscious users and provide some options for the rest because like the security researcher Cormac Curley says when we exaggerate all dangers we simply train users to ignore us I hope I've given you some inspiration for how to think about your authentication systems come find me after this if you have any questions I will be up at the Twilio booth once again my name is Kelly and thank you for listening [Applause]