 and welcome to the AppSec Village. I hope you were here for our first keynote speaker. Welcome to day one of AppSec Village, part of DEF CON 2020. I really wish we were all together in one big room like we were last year, but that's just not going to happen this year. So in the meantime, thanks for tuning in, thanks for watching along with us. I want to take the moment to introduce you to our next speaker. Our next presentation is going to be 2FA in 2020 and beyond by Kelly Robinson. Kelly works on the account security team at Twilio. Previously she worked in a variety of API platforms and data engineering roles at startups. Her research focuses on authentication user experience and design trade-offs for different risk profiles and 2FA channels. We all know how important 2FA is today. We all want to protect our accounts and I'm looking forward to this talk. I hope you are too. So please give a warm AppSec Village welcome to Kelly Robinson. I am coming to you today from Brooklyn in New York and I hope that you're doing well wherever you may be on this March 152nd. Hopefully your day is going better than the person who has this password. But even though I trust everyone tuning in to a DEF CON talk to have better password hygiene than something as simple as 123456, the fact is there's still a lot of folks out there with short, guessable passwords or people that are reusing passwords across multiple sites. And as much as we'd like to believe that we're better than this, the website HaveIBeenOwn.com proves that simple passwords like 123456 are still incredibly common. This password has been seen almost 24 million times across data breaches. And attackers can use this to do credential stuffing attacks across the web. And it can basically allow them to hack into a lot of accounts and compromise a lot of credentials and ultimately make a lot of money off of unsuspecting individuals. And that's what we're here to discuss today. This reality where we are so owned that passwords are no longer enough, how other factors, second factors in fact, can help us stay more secure and how to evaluate the different options out there. So my name is Kelly Robinson. I have been working at Twilio for about three years. I specifically work on Twilio's account security team, working with our products for things like verify, lookup, anything that has to do with phone verification, two factor authentication, phone and email intelligence, things like that. And this team has evolved a lot. We acquired Authy about five years ago and that was kind of the genesis of the team. So Authy is our free consumer application that was recently rented to include the Twilio name about five years later. But we also have APIs for adding things like two factor authentication into your applications. And I spend a good chunk of my time educating developers about security, especially when it comes to authentication itself. And so this talk is going to incorporate a lot of the things that I've learned in the last few years, working with developers on a variety of challenges and our customers on their authentication challenges as well. And the failure of good authentication often results in what we call account takeover or ATO. And this is why this is such a big problem, right? Like if there wasn't anything of value on the other side of an account, we wouldn't be as concerned about this. But this is a seven billion dollar problem. So the industry is really incentivized to find a solution here. And from the 2020 javelin strategy and research study that just came out a few months ago, one of the things that they noted is that account takeover fraud is one of the hardest types of fraud to identify because there's so many channels, multi-channel account access and the desire to reduce friction in the consumer experience. And so we're trying to make it easy for people to log in. But we also want to keep out the people that don't, that shouldn't have access to those accounts. And those can sometimes be conflicting goals. So how do we accomplish this and how do we accomplish those goals? So protecting our accounts, we have these three types of factors that we'll talk about. You need to use a factor of authentication. And using any two of these means that you're using two factor authentication. So there are three types of factors that we talk about. Something that you know, this could be like a password, something that you have, this could be a key or a phone, and then something that you are. So this is something biometrics like a fingerprint or face ID or something like that. And all the factors that we're going to be talking about today are channels that fall into this possession category. And I just kind of wanted to go over what the different pros and cons of a lot of these different common channels for two factor authentication are so we can think about why we would or would not enable some of these types of channels. And starting with second factor authentication using SMS to FA codes. And so one of the big reasons that people still like SMS based to FA is that onboarding is so easy. So about 99% of Americans have a phone capable of receiving text messages. And that makes a big difference, right? Like if you can't get people to turn on to FA or opt into FA, then you're not going to have any of the benefits of having the second factor offered to them. And because of this easy onboarding, because it's a familiar experience now, this is something that a lot of companies still like to offer, because it's offering that additional security without that additional friction. Unfortunately, as a lot of people know, SMS based to FA is not that secure. So one of the main reasons that we say this is because of something called SIM swapping. So this is where an attacker could use either social engineering or bribery to get my SIM card sent to you. And then you could basically take over control of my phone number. And so it's not device control. So SIM swapping allows you to take control of a phone number. And that can give you a lot of access to things that are being sent to me like two factor authentication codes. So SMS one time passwords are really convenient, but they are an insecure channel. The next thing that I wanted to talk about was TOTP or time based one time passwords. And this is a way to generate tokens based on algorithm. So the input here are a secret key in your system time. And those get put through a one way function that pops out the truncated token. So this is what Google authenticator off the apps like that use as an open standard and symmetric key cryptography offers increased security compared to SMS. But if somebody gets access to that shared secret and the method is easy to compromise, and you might be saying like, well, don't leak that secret. But you know, one of the ways that we share that secret is by scanning a QR code. There's ways that QR code can get leaked. At a previous job, we used to keep a copy of a QR code for TOTP in the shared one password file that we used for engineering onboarding, because we wanted to enable 2FA, but we needed multiple people to have access to it. So that's one example of how a TOTP secret could get leaked. It offers also some distinct advantages. Like I mentioned, it's an open standard, which is pretty cool. So you can use the app of your choice to do this. And also because the inputs are offline inputs, this method is also available offline. So you know, not that anybody's doing a ton of traveling right now, but this is really useful for people when they're like on a plane or in a foreign country where they might not have good cell service or cell service of any kind. But unfortunately, this does require an app download. And so this is something that you want to keep in mind because that's going to add additional friction to get people to sign out for this method. And then I do want to mention the expiration user experience because in a study on the usability of different factors, researchers found that two thirds of participants using TOTP via Google Authenticator had problems entering the six digit code before it timed out. And so that could be a problem depending on the types of users that might be using this, that expiration logic helps keep it secure, but it also could make it harder to use. Overall, this is a pretty good option. We see a lot of security conscious companies adding TOTP as a 2FA option. And it's a really good next step of a way to add an open source, open standard option on top of SMSV2FA if you want to add additional security. So I also wanted to talk about pre-generated codes. And so these are something called, you know, like we might know these as backup codes, you don't see these used a lot for ongoing login. But I wanted to mention these because a study that I'm going to reference talks about using pre-generated codes. And then the benefit is that these are really easy to use. These are basically like pass codes or passwords that are generated for you. So they're less likely to be reused. They're more likely to be more secure. They're not going to be one, two, three, four, five, six. But you know, because of that 25% of participants in this study noted that these pre-generated codes didn't really feel secure, though, because they're just kind of written down on a piece of paper. And the other problem with this is if you've ever been somebody that has been asked to store backup codes or implemented a system that has this kind of system, like how do you store those? A lot of companies don't give you real guidance on that. And this is something that might not just like feel that secure. So this is something that I think is an option for backups, but the ongoing usability of it might not be super practical. Finally, I want to talk about push authentication. And this was really popularized by apps like Duo Authenticator. And users love this because it's so low friction. So you could approve or deny a login request correctly from your smartwatch. And it uses asymmetric key photography, which means that you have two keys. The private key is only ever going to be stored on your device. And so that really keeps you more secure and prevents you from leaking a shared secret, like you might be able to with TOTP. And this is the only form of 2FA that adds the option to explicitly deny a login. But unfortunately, it's so low friction that you could easily approve an authorization request just to get rid of it. And so if somebody is attempting to attack your accounts in the middle of the night, you might be able to unintentionally approve a request just to make it go away. And this also is a proprietary solution. So it's going to require a special app. So you could do this with something like Authy, you could do this with something like Duo, and you can also bake this into your own application. But like with TOTP, getting users to download another app is always going to be a challenge. I think the way that we'll see this become more common is with companies that have a lot of mobile users that already have their apps, baking this into the existing apps that are already on their phone. So you've seen this with something like Google Prompt. If you try to, if you enable Google Prompt and try to log in on the browser, what Google will do is say, hey, check your phone, open up any Google app on your phone, and it will pop up this type of, is this you trying to log in message without requiring that the user downloads an additional app. And so that is one of the ways that you can kind of get around that user experience hurdle of having users opt into a more secure solution. This seems great, it's really cryptographically secure. But I think the onboarding logic is going to be something that we're going to struggle with for the next few years until this becomes more common. And there's always this problem that it might be too convenient. And then lastly, we'll talk about WebAuthn. And this is the new hotness for good reason. It offers a really high level of security with asymmetric key cryptography like push authentication. So the private key is only ever going to be stored on the device, but it's also an open standard like TOTP. So the biggest drawbacks with WebAuthn right now is that it's still relatively new and setup can be a little bit clunky. You know, some of the new devices are starting to bake this into the actual device itself. And so Android phones can now be used as a WebAuthn authenticator for Google products. But this is not something that you're seeing as widespread yet. Hopefully this will be something that will be rolling out more widespread with devices that we already have. But for something kind of third party that you can use to do this like a YubiKey, you needed that additional authenticator right now to do this in a lot of places. An authenticator that's compatible with standard. And you know, YubiKey's Titan keys are not exactly cheap. And like you can't also reasonably expect that every user of your application will have one. So until something like this becomes a standard available, like on every mobile phone, it's going to be harder to implement this across the board. So like I said, as more devices like we already have, like our phones and our laptops start to adopt the standard and become those kind of compatible authenticators, we will see an uptake in this factor. And I think this is where you can kind of set your sights where things will be going. But it is more currently more popular with companies. So like your IT department can get you the YubiKey right now. It can hand you the physical token. So that's something where you might also be seeing this. But a lot of these factors we're kind of focusing on as a consumer application channel. But I do want to back up these kind of qualitative examples with some more quantitative data. And to do that, I wanted to think about more granularly how we're measuring the effectiveness of 2FA. And so separating this into three categories, kind of thinking about this in the life cycle of 2FA. So there is this onboarding consideration, right, that I've mentioned a couple of times already. There's also user experience, ongoing user experience for how you're going to work with these different channels as you're using them in an ongoing basis. And then also the account recovery side of things, like what happens when you lose one of these factors? What do you do at that point? Is there a path to recovery there? And so the research that I'm talking about is from Brigham Young University, was presented at the SUPS conference last August. And so the study focused on setting up five factors. And so the factors that they talked about are the ones that we kind of already walked through, which were SMS, TOTP, pre-generated codes, push authentication and U2F security keys. So a couple of important caveats is the study didn't take into account how to store pre-generated codes. And so that's something that I think is pretty important for this type of channel. But 25% of participants noted that the pre-generated codes didn't feel secure. But when it comes to factor setup, this is the winner from the study. But like I said, the code storage wasn't considered for timing. So I don't know exactly what that would be like on an ongoing basis. From a different study in 2018 that focused just on UBIC keys, I think the study is really interesting because the success varied a lot depending on the platform that they were setting it up on. Even though the channel, the thing that they were using to set up the U2F was always a UBIC key. It was always the same UBIC key that they were using across channels. So 83% of people were successful on Google, where only 32% of people were successful on Facebook. And if you've been following U2F and Wabafa and you know a lot has changed since 2018, but I do think this is a really interesting look at how onboarding user experience impacts user success. And so you can guide people towards a successful solution here, but you don't want to guide people in a way like Microsoft Authenticator or Windows Logon Authorization tool did where more people locked themselves out of their computer than were able to successfully set it up for that particular platform. So moving on to usability, one measure of usability was the amount of time that it took to authenticate. And in that metric U2F and push were the winners there. So they're the fastest media and authentication times. So compare to SMS and do a research from last year said that this can save people 13 to 18 minutes annually in terms of ongoing authentications. If time is something that you're concerned about and this is a measure of usability ongoing. But the system usability scale or SUS, this is something that's a standard measurement used by researchers for this type of thing. So actually all of the methods had a pretty good usability score, but to T.O.T.P. came out on top. Again, this is like ignoring just passwords. So turns out people don't like adding a second factor to a lot of their authentication because that's additional friction. But if you're going to be using a second factor, then to T.O.T.P. was what they considered most usable. This actually surprised me because this was the same study that said that two thirds of users had issued with the timeout. But that didn't affect the rating here. So maybe that's something that we don't need to be as concerned about. I do want to point out that there was somewhat of an inverse relationship here because you two have in push had some of the lower usability scores. So the researchers observed that faster authentication does not necessarily mean higher usability. So this is something that we're looking at. And you might notice that like SMS does not come out on top on any of these. People didn't really like it as a factor. It was one of the lower factors for the authentication score. But I do think that even though there's a lot of trade-offs to the level of security in these options, it's important to note that SMS-based 2FA is still better than no 2FA at all. And this is really easy for me to say like, you know, I work for a company that does this, but there's research here to back me up. So a 2019 Google study found that an SMS code sent to a recovery phone number helped block 100 percent of automated bots, 96 percent of bulk fishing attacks, and 76 percent of targeted attacks. So it's still really good coverage, especially for something that's really easy to set up, that might have higher likelihood that users are actually going to turn on a second factor. But when you start looking at push authentication, there is increased protection. So this gets bulk fishing attack protection up to 99 percent and has a 90 percent effectiveness for targeted attacks as well. So you have different options for 2FA, but you also do need to get your users to enable the extra security. And adoption of 2FA is pretty abysmal. There's a few reasons for that. This is especially abysmal for opt into 2FA. And so last month, DHH on Twitter, who works for, you know, he works for Basecamp, I think, and is behind the new email platform. Hey, was asking about how the opt-in rate for different companies was for consumer 2FA. And companies willing to share this data say that's usually somewhere between like one and two percent. Depending on the type of platform, depending on how you're getting users to turn it on, you know, you probably are going to have a pretty low rate of adoption here. So he mentions that Basecamp was at a poultry one percent. And one of the observations behind this is that, you know, there is technology like this. Technology is available to help mitigate the risk and improve the consumer experience. But it often goes unused. And so I think this is one of the things that we as security professionals and people that have the ability to encourage people to opt into these more secure measures need to be considering how we can push people in that direction without increasing too much paranoia. So in terms of 2FA adoption, a 2019 BYU study found that people were willing to add 2FA to their accounts if they saw the value in the account. But 13 percent of participants just saw that the inconvenience was too high, no matter what. And that's because a lot of people just believe they're not a target. And so this research participants said, I just don't think I have anything that people would want to take from me. So I think that's why I haven't been very worried about it. And you can see this with a lot of people in your own life. They don't understand the risk is associated with all of their accounts. And maybe that's okay, like maybe you don't need to be adding 2FA to authentication to, you know, the pizza delivery app that you're using. But how do we encourage people to add stronger authentication methods beyond passwords to things like their emails and like their bank accounts in other places where that level of paranoia is perhaps justified. So hope is not lost here. Awareness and adoption have almost doubled in the last two years. There's reasons for this. Bitcoin has spiked a couple of times within there. But there's other things that we might be able to attribute this to. And so one of these is how we drive adoption of multi-factor authentication. And websites are getting more savvy about how they're getting people to turn on 2FA. But unless you're somebody like Coinbase, you're probably not going to make two-factor authentication mandatory. But you do have other options than just hiding it in profile settings where people aren't going to think to go get it. And so you can prompt people when they log in. You can offer product incentives. You can have a really annoying and persistent login prompt that is telling people that they need to turn on additional factors for authentication every time they log in. The more annoying you are about it, the more likely that people are going to be to turn it on. But that's also going to increase the friction and you don't want to annoy your customers too much. So we do know strategies like product incentives work from looking at the Google Trends for 2FA searches. So if you can guess what the spike in August 2018 was, it's only gone up from there. But it was pretty flat for many, many years leading up to that. That was when Fortnite decided to offer in-game incentives for its users to turn on two factor authentication. And so if you're not familiar with Fortnite, it's an incredibly popular video game. And video games are some of the people that I've gotten most creative with the incentives that they're offering people. One, because there's in-game trading that has real monetary consequences to their users. But two, because some of the incentives that they can offer don't actually cost them a lot of money. And so now even two years later, three of the top five related search queries to 2FA have to do with Fortnite. Three of the top five related topics to 2FA have to do with video games. Epic Games is the company that owns Fortnite. But they aren't the only ones that are offering incentives. Lots of gaming companies are offering incentives around that. You can see lots of examples there. But there's other companies that are offering product incentives as well. So a good example of this is Mailchimp will offer you a 10% discount for three months for users that turn on 2FA. And so you can understand kind of the trade-off here of what it would be valuable to your company. Like what is the account takeover risk? What is the loss that you're experiencing from something like this? And does it make sense for you to offer some product incentives or discounts to your customers that might get them to opt into additional security? And so like anything, you want to make sure that you're going to measure how effective this was. So ideally you would be setting these measures before you embark on this kind of a journey. But some of the things that I encourage people to think about as they're measuring the effectiveness of their authentication strategies, like this is going to depend on your business. But here are some of the options that you might have. Just total losses due to account takeover. You probably want to see that number go down. You might want to care about the total number of compromised accounts to decreasing the number of customers that are actually having their accounts taken over. One thing that I do think is really important to look at is just the support costs related to the losses. So if you're somebody that's starting to require or encourage a lot more two factor authentication, there are going to be additional support hurdles that you're going to come across. So especially when it comes to the account recovery side of things, people are going to get locked out of their accounts more often. And you want to have a smooth path, hopefully self service, hopefully even enable, you know, three or four factors that they can gain access to their accounts again, if they lose access to any one of their factors. But you want to make sure that you also equip support with the tools to make sure that they can securely and safely get people back into their accounts. Even if this is going to take more time out of the support team, it might be worth it overall. And finally, you just want to make sure that user satisfaction is at least staying the same if not going up. If you're doing something like having really a persistent login prompts for turning on to FAA, you might want to make sure that you're not annoying your customers too much overall. So there's definitely no one size fits all solution here, but the advice that I end up giving a lot of folks boils down to something like this, which is to delight your most security conscious users. You don't want people that are paranoid, with good reason, have higher security needs and concerns to be upset the lack of options that you're providing, but you do want to provide options for the rest. You don't necessarily need to force everybody on your consumer website to have to you the TP or you be key or anything like that, but you want to make sure that it's usable for people, depending on what the risk that they're willing to accept. Because like the security researcher for my curly says, when we exaggerate all dangers, we simply train users to ignore us. So I hope I've given you some inspiration for how to think about your authentication systems. I'll be around. You can find me on discord. You can find me on Twitter if you have any questions. Once again, my name is Kelly Robinson. And thank you for listening.