 So as if none of that happened good afternoon everyone how are you doing? That's that's very cheery and very happy. I'm very glad about that, but I come with a warning And it's a simple warning that hackers are everywhere And I don't mean the cool kind of hackers like the people that we are right now just making stuff building things in a field I kind of mean people like this guy You know that you know the type they're in the suit they're balaclava hacking and breaking into your users accounts people like this Woman who is so good at hacking. She's managed to get herself a laptop whilst in jail and people like this man who He I don't know why he's got sunglasses on inside a darkened room, but whatever he's doing He's doing it right. He's keeping his fingerprints safe. He's got the gloves on that's cool But whatever's whatever's whatever he's doing is doing it right because there is money pouring out of his keyboard Hi My name is on Ash and I'm a developer evangelist for a company called Twilio Who knows what Twilio is here anybody quite a few people. That's cool. That's cool If you don't know which I'm sure one person didn't put their hand up there Twilio is a communications platform It's a it's a way to communicate with your users via voice video or messaging using the tools languages or frameworks that you already know and I think it's pretty cool and that's why I work there But it's not about Twilio right now We're talking about two-factor authentication or 2fa 2fa what look for two-factor authentication I've got a bit of a you know a straight-up Explanation of that but we're going to go into a bit more than that. So two-factor authentication is a security process Which a user provides two different forms of identification to authenticate themselves with the system Those two forms must come from different categories. That's important And normally it's something you know and something you have a great example of this that we've been using for years is Bank cards which have a pin number, you know, that is something you have the card and something you know the number But like why is this important right? I mean do you have two-factor authentication set up on all your accounts, right? If anybody's saying no right now, you're excused from the rest of the talk So that you can set that up for yourself because you're more important than everybody else right now sort that out But I there's there are many reasons why I think this is important and One of them is based on the story of this guy Matt honan He's a journalist I used to write for wired and back in 2012 his digital life was destroyed By people without very much technical ability whatsoever And I want to tell you about that. I want to tell you how they did that and we'll see Why I think too bad. Excuse me is important So we have a bit of a timeline of what happened They they found his Gmail address on his website. That's perfectly reasonable kind of thing You probably have your email address on your website And they they entered that into Gmail and found that he had a me.com Account one of those people As the backup email address and so they called up Amazon In order to add a credit card to his file, which was nice of them, I guess Of course, like you don't just add credit cards to people's files You you have to talk them into doing it, right? You had to I mean, they were after passwords or secret identification things like that But eventually because he couldn't give any of that it boiled down to being able to tell them his email address and a billing address Now he had the email address obviously we found that already and they found this is about the most technical part of this hack They found the billing address on Who is for his domain, right? So they have billing address email address and they added a credit card to his file in Amazon He wasn't aware of this at the time and then they called them up again and And said all right I need to you know I need to change my email get my password reset to it and they would go through all the same questions all the same things and Eventually it boiled down to they needed His email address his billing address and the last four digits of a credit card They had on file so you see all I was on kind of as nice as they they were trying to be So they got the Amazon account reset, which is kind of cool and then they called up Apple to reset his password and he actually kind of he as a journalist He went in there and worked on finding out how they did this We actually get a timeline here from Apple support at 4 33 p.m. He called Apple to the hackers called Apple to reset the password and You know they went through the same thing again, you know all those security questions all that kind of stuff Which they didn't know the answer to until they asked for an email address a billing address and the last four digits of a credit card On file since they had the Amazon account They had all his credit cards that were on file and the last four digits for them So that was how they got in there and they reset the access reset the Apple ID password and gained access to his me.com email address at which point They reset the Gmail account and this is where it gets nasty because then they wiped his iPhone They reset his Twitter password hacked into that white MacBook deleted his Google account and at 5 12 p.m. Just of like about 40 minutes after Getting on to Apple in the first case posted to Twitter to take credit for the hack, which was nice of them I guess Weirdly enough in the 10 minutes they had control of that Twitter account They posted racist and homophobic slurs, so I don't know why you'd take credit for that, but it's what they did And the whole thing was the whole hack the whole reason they did this was purely to get Matt honan's Twitter account Which had a three-letter Name that was basically it was kind of nice really because they could have done so much worse So much worse to him Although that he did lose like pictures of his child that were on his MacBook and an iPhone that wasn't properly backed up So that sucked, but what really sucks is that at every single stage of that hack At the Amazon Apple Gmail Twitter any single stage of that hack to factual authentication Would have stopped them in their tracks and saved whatever account was blocking If if he'd had to have something like if the hackers had to have access to something that Matt himself had on his person They would never have got in Very sad story. It's good to find out How it all happened and that this can be avoided. I mean there is some social kind of hacking in there as well But that's it But I have more reasons more reasons why this is important because we're not all just in control of a highly desirable Twitter name Like Matt and and leaving bits of data around like that that can be tampered with maybe we have You know, maybe we have long passwords. Maybe we have password managers You know with this is probably the kind of place where we all have things in password managers. I don't I'm sorry I'm pretty bad at this but This is also probably the kind of place that you would find people like that However, there's many other people in the world who definitely aren't using these kind of things aren't using long and different passwords for every account And so I want to I want to play a bit of a game. I don't know if you're aware, but Ashley Madison is a site that That that was hacked last year for apparently ethical reasons and and It turned out at some point. They had not been They had not been hashing their passwords correctly So security firm was able to break 11 million of them And so that means we get the top 10 passwords used on Ashley Madison dot-com Does anybody want to have a guess what number one was? Passer. Oh, it's in there, but it's not number one 13456. Yes Wonderful wonderful password and then one two three four five for a second Just slightly lazier people I guess I think password. Yeah passwords number three. That's good and then defaults in caps I don't genuinely don't know why that one's there Some people made it all the way to the end of the keyboard Some people just did the letters. That's fine 23578 not quite all the way. I don't know ABC one two three I thought yeah ones a little bit in like a bit of work to do on the keyboard there It's not just like swiping a finger across things Number nine wasn't the characters It wasn't the characters NSFW, but I'm not putting what it was on screen in the context You can ask me about that later After a couple of beers and finally one two three four five six seven But what the worrying the terrifying thing about this is not just that people are using these but how many people are using these That's a hundred and 120 and a half thousand people with one two three four five six and this is a site That you probably want to keep relatively secret. I Don't know but basically like users are bad with passwords And then we know these passwords because sites are bad with them as well You know, you you are almost certainly In control of an account somewhere that has lost all of its user data and is on the on the internet for everyone to use right now and I forgot the name of the site. There's something that there's a site called have I been pwned or something like that and It's really terrifying because it e-mails you if you if you end up on one of these public lists of places Where they have your email address and a password that you used on an account It's really useful for that, but it's also terrifying how many emails you get So users are bad with passwords Hackers can make their way around passwords an awful lot of the time and we need to stop that. So how are we gonna do it? Too fat authentication The original your normal user registration flow is fairly straightforward, right? You visit a registration page you enter your email address or a username and a password and you're logged in and that's fine and then Similar for when you go and sign up sign in log in you visit the login page the enter the username and password. Hopefully it's a Securely hashed password and that is then verified and you're logged in brilliant. Let's Get over that because that's not good enough SMS is The first kind of way you might think of of doing two-factor authentication these days And uh, it's pretty useful. I like it. That's what we do at Twilio We have quite a lot of sms's and It's a fairly straightforward addition to the flow Because you just need to take somebody's phone number as well And that's fairly straightforward and people are kind of happy to give that away for for security reasons, which is nice It's not for spam text or anything. So that's cool But then you know when they log in you have to they into the password as long as that account is right We've passed the first factor Then the verification code is sent by to the use of our SMS and you can do that as I said if you use an API like Twilio That's probably the easiest way and I wouldn't even know how to do otherwise. So do that And then the user enters that verification code You know, you have to just make sure that was the code that you had And this point it can just be like a random number. It doesn't matter You could save it in a database column being like this is the login code for this time around Maybe with a time out on it something like that and the user's locked in But there are pros and cons to this one of the big pros to using SMS for this is very much that Most people in the world have access to a device that can receive an SMS And it just brings this ability to have security And have a safer account to almost everyone in the world. It's super useful for that and the cons side SMS obviously costs to be able to do this. You either need the infrastructure or service in order to do that And so that's gonna cost money security is worth it and SMS is not the safest thing. It is a clear text format if you can put your own There have been many hacks recently showing people being able to take over things That are based solely on an SMS Message and that's that's a little terrifying. So it's not the most reliable. It's not the most secure method. However in terms of Making this available to the most number of people SMS is probably the best, but then we have soft tokens and by a soft token, I mean where you have an application which can generate that code for you and so in this particular case the registration flow becomes You know you do the normal stuff and then you generate a secret a Cryptographically secure long kind of secret and share that with the user somehow And get them to verify that they have that with the code probably and then they're logged in and then when the user logs in They just have to open up an auth app. You're probably aware of Google Authenticator And and Tullio also owns a company called Orthy who has an application for this, which is very good and So you open that app up and get the code out of there and enter on the site that gets verified and logged in and So I want to talk about those secrets because this is what interested me And this is what kind of drove me to investigate this a lot because we have this application that could be offline. It can be out of the It can be out of any network It doesn't it does not need a connection to the site in any way in order to generate these codes and that's always interested me and it's all down to This protocol the HOTP or to TPP protocol Which stands for HMAC one-time password and then time-based one-time password and And this is what that is It's it's a nice little cryptor cryptographically cool little thing that uses the HMAC Digest and when you do HMAC based one-time password you use a key a secret key Which is that secret you generate for the user and then a counter which you have to keep updating and to make the To make the code you just take the HMAC digest of the key in the counter use truncate in this case is a It's a Deterministic way of picking four bytes out of the out of the middle of the digest somewhere And then that's just a bit mask to make it a positive number in the case of signed integers And then your actual value the six digits or seven digits that you've probably seen when you do these things Is is taken by modding that result to 10 to the number of digits that you'd like Straightforward, so it's easy. It's fine If you do want to if you are interested in seeing that in more detail I kind of recommend taking a look through this node package if you like or don't like JavaScript It doesn't matter. It's very easy to read and It just spells everything out in front and it just as long as both sides have that secret They are going to create and and the counter is in sync. They will create the same code every time using that algorithm And then the time is one time password is exactly the same as the HMAC base one Except the counter that you use is simply a number of periods since the epoch This is the period length is tends to be 30 seconds that tends to be how long you have to get your code typed in Before the thing changes in your app But that just means the counter can be based on the time and so we don't have to worry about keeping them in sync Any more than we have to worry about Generally keeping clocks and time in sync So I see I wanted to just show this very quickly because I really like that natp library And I just want to show you how it works and can you read that or should we make it bigger? That's cool so I'm just gonna Kick in to node and get myself The notp library And there it is and so it comes with HOTP and tootp as things so if we get HOTP Off of the notp objects Then we can see we get two functions that generate and verify Jen and verify And so when you generate You just need to use a secret something secure something that's not hollow But that's what I like because it's easier for me to type that than a 16 digit random string And if we put the counter in as one right now We can generate ourselves a code a 25147 wonderful And if we run the same thing again with the same counter, it is of course the same and then you move the counter and it's different Wonderful, this is how easy it is to produce the stuff And then on the other side of things you want to verify that at which point we're gonna take that original number that we got back a 25147 our secret and the counter at the time which was one and We see we get an object back And if that was incorrect if something was wrong there if the code was out by some sort of digit you get null back Which of course is false JavaScript And that's that's as it's kind of easy easy as it is what I really like is this Delta Which oops What I really like is this Delta because if I change the counter here Because we added in the we added the code in but maybe the counter was slightly out of sync Oh, that was the wrong one If we change the counter we get a Delta of minus one which shows you like you were close But this the person is making the right code. They have the right secret They're just kind of at sync slightly so that that's where you can update and then the same happens for to TP Which is really great as well And this one's easier to generate because you just have to pass in the secret because it's based on the time So we just get a code out of it and if we keep generating them They'll be the same as the point of the talk where I have to wait an indeterminate amount of time in order to get a new code out of this Nope I'll get on with verifying Hello, and the code goes first. So nine five three seven six seven It's gonna have changed now, right? So we have a Delta of minus one and if we generate again We have a new one and so that's how the the time-based one-time passwords work and again that Delta just shows Firstly that the person probably has the right secret, but secondly it also means that as a user You don't have to rush. You just have to know the number. It's gonna be fine if people have implemented this correctly so I think it's it's really easy to generate these things and it's pretty cool all you have to do is Share the secret somehow and that's kind of the Not the difficult part, but it's just another thing to think about because most of the time We do it using QR codes I mean, I love QR codes Said no one I guess But they are I mean this might be the only good reason to have a QR code on the website ever is to keep people safe And if you want to generate the QR code you use this kind of URL format That has the protocol OTP or the type which is then HOTP or TOTP a Label which is pretty much your application name and then some other parameters that include the secret And so that's a bit small, but if you can see we've got OTP auth and TOTP is the type The label in this case is example because it's my example application And I've also put kind of my email address into that as well So you can see if you have multiple accounts in one in one app and you have multiple two-factor authentications for it then That will be read out for that particular account And then in the parameters we have the secret and then the issuer again, which is the application And I like as I said QR codes are great. This is still my favorite blog on tumblr It's been going since 2012 and still has no posts Genuinely my favorite, but I do think yeah, this is a useful thing. It is a useful thing for security There are pros and cons to this of course The cons being that most people so in order to do this, you need to have some sort of smartphone Any kind of feature device is not going to do the job and That's so that counts some people out And the sharing of the secret is a weird one because it can be captured Especially if it's a QR code kind of thing It's being displayed on screen and if somebody is that paranoid about the thing it could be captured Whilst there whilst they're doing sign up registration for this kind of thing. So you can give it away Similarly in the cons you also have to look after those secrets on the on the side of the users you can't You can't hash them. They have to be held in in clear text in your own database So you have to look after this secret which people believe to keep them safe But can this all be better? Because the the problems with security and with things like to be factual authentication tends to end up that we we lose out on user experience You know having to open your phone and get a text message or open an app and type in a code It's all a little bit awkward and I think it can be better and People have said to me before you know friends don't let friends write their own authentication frameworks and I work a lot with Ruby and rails and so device is a you know Open source authentication framework is a wonderful wonderful thing because I don't have to worry about screwing all the things up that you can screw up And I believe that's probably the same for two fact than two factor authentication as well I don't I don't want any of us to screw this up And so I want the the professionals to be sorting this out and that is why I mentioned or the earlier but It was a year and a half ago now that Twilio bought this little company go to or fee because they were doing two factor authentication as a service Effectively, it's kind of three API calls in order to get everything you need in two factor authentication And when you register so just to give you a bit of an insight on to this when you register with or fee You do need the phone number off of the person because text messaging is the very much base of the whole thing And your system then makes that first API call to register the user with or fee And you get like an ID and that's all you have to store the or the idea of the user and when they log in You just you make one API call to send the authentication request And that can come via SMS or via a push message to the push notification to the app So that's why we just have all three prompts the user somehow And then they find the code either in that SMS or via the application And enters on the site and the final API request you have to make is to verify that that code was correct And then they logged in But that's not all like like that doesn't change things much the or the application on the phone is better Than a Google authenticator and is is more looked after a more of a date But it's it we need more than just a slightly better app in order to make this interesting And so I think the future does come a bit down to push notifications if we've already got people With an application in their hand in the phone or whatever then we can do more stuff with that and and that's A thing that or the calls one touch. I just want to show you a quick demo. This is a video. I Need to climb. Okay. I'm gonna do this really quickly So you when you log in on the side is my phone. I'm sorry about that And the side is my phone and when it logs in it sends a push notification But what's gonna happen is not you're not just gonna have to type in a code but Actually ask you, you know, this site is trying to get you to log in is that cool and you're like, yeah It's cool and then logs you in Which is much better. I think much better experience than having to type digits having to type all those things I'm gonna rush through this last bit. I'm very sorry Pros and cons. I it's pretty awesome. You have to have an app. I guess In summary uses a bad with passwords. I'm bad with passwords And so many users other websites about with passwords and they lick them literally all the time Two facts with indication can be push a token or SMS and to me that seems a little bit like kind of graceful degradation Graceful degradation in kind of websites and that you use the thing that most people will get and improve upon it if you can And two facts of the indication really is for users and really is for their their security their experience their entire life and their world If you are, you know, if you think back to Matt honan story So that is all I have for you this afternoon. Thank you very much. Let's beat this guy Let's stop him stealing padlocks out of the top of your albars or whatever. I don't know. Thank you Thank you very much