 Good afternoon, everyone. Thank you for sticking around for the end of the conference. So we're going to be talking about 2FA today, or two-factor authentication, sometimes also known as multi-factor authentication. So a quick show of hands. Who here is a security engineer? OK, but who here works on a website that has a username and a password, log in page? Congratulations, you're all security engineers. So I think this is one of the things that we think about a lot. We don't self-identify as people that need to care about security. But I think in 2018, we've seen a lot of these password breaches happen. And we know that there are things that can happen. There was a fascinating talk earlier about the security implications that come with usernames. There are things that we can do as web development engineers and Python engineers that help keep our users secure. And multi-factor authentication is one way that we can do that. So this talk is going to introduce some of the different ways that you can use 2FA, get you into some of the technical details, and finally, we're going to show you some of the best practices. But first, I want to take a moment to appreciate the glorious quarter of the internet that is stock photos of hackers. So this guy is especially interesting, because on top of all of the encrypted mess, he got the word hacked to show up. And so you know he must be really good at his job. So my name is Kelly Robinson. I work at Twilio. So Twilio is a communications company that allows developers like you to add communications into their applications. We do this with a lot of ways. SMS and voice are some of our popular ones. But we also have products for authentication. So about five years ago, Twilio actually acquired Authy, which some of you might know as the two-factor authentication app. Authy also has APIs for adding 2FA and phone verification into your application. So we try to make it easier for you to add that as developers. So I work on our Authy APIs. I'm a developer evangelist at Twilio. And so I help with some of this stuff, so working on the documentation, with the helper libraries, and helping make these concepts accessible to developers for getting these things into the hands of our consumers. So this talk is going to incorporate a lot of the things I've learned. Yesterday, my colleague Lizzie gave a quick demo of Twilio. And she forgot to mention the promo code. You can only use that for $25 on your account, whether or not you're a Twilio customer already. So that's $25. You can use that through the 10th, I believe. If you don't take a picture, come ask me for that later. So why does 2FA exist? 2FA exists for a few reasons. But I think one of the big reasons that it exists is because the way that we've been doing authentication for the last 30 or 40 years isn't good enough. And the big way that we've been doing that is with passwords. And passwords, unfortunately, have a lot of flaws. They are often short, easy to guess, predictable. And people reuse passwords. They reuse passwords across the internet. So they reuse the same password that they're using for their bank account or for your website. And so that might be a problem. If one of those sites gets owned, you're going to have a problem with people doing things like credential stuffing. So credential stuffing is the process of when somebody gets a hold of a username and a password or an email and a password combination, they're going to try to use that around the internet to try to get into people's accounts. So you might hope that nobody uses this kind of password. One, two, three, four, five, six. But of course, people do. So in fact, this password is the most commonly seen password in password breaches. It's been seen over 22 million times. This is according to the site Have I Been Own, which is a project from security researcher, Troy Hunt. So if you haven't been to this site before, it's really, really interesting. You can go there and type in your email address and see what data breach is. Your email address has been seen in. So if you want to go do that now, please. If you see that your email on any of those sites, please go change your password. If you haven't already, and those sites didn't force you to change your password. Or if you were using a password for that site that you were using other sites on the internet, this is a good opportunity for you to know to go change your password. So that's one of the last things I'll do in terms of end user security advice. A lot of what this talk is going to focus on is how we as web developers can encourage our users to use good security habits and make it a little bit easier for them to not get caught up in the situation, even if their password does get owned. Because it's going to happen. Security is one of those things that we're all concerned about. And we might think that our site is going to get hacked, but I think the saying goes that everybody's been hacked, some people notice. So hopefully you're not gonna be the person that happens to, but it could happen to anyone. So there are really, and the most popular passwords don't really change. So Tryhunt just recently updated his data set. And I think he said that something like 79% of the passwords that he got with this like new data dump of some million number of passwords, like 79% of those were already in his data set. And so these things don't really change over time, with the exception being when new sites get hacked. So if MySpace gets hacked, there are a lot of passwords that show up, like MySpace one. So that was hacked a few years ago and we have seen 700,000 of those in these data breaches because people tend to correlate their passwords to the sites that they're using them for. People use password formulas that are generally pretty easy to guess if you know which site they're using it for. So we've tried a lot of things to make passwords more secure. We've tried to implement password rules. The NIST, the National Institute of Standards Technology in the US just recently updated their standards to say that you don't need to have things like special characters and numbers. That update came in 2016. And basically the reason for that is we get things like this guy who end up with a lot of these same password patterns. And so we've all done it. You get to a password site and you have a password that you've been using all over the internet and all of a sudden it's like this must also contain a special character. Cool, I'll add an exclamation point to the end. And so the ways that we get creative for these things aren't all that clever. I think we've all substituted the at sign for the A, the dollar sign for the S. These are things that are predictable and for people that are writing password cracking programs that they can predict in our programs. So I think that the moral of this is that passwords aren't enough. So this guy's wearing gloves to type and there's like money on the keyboard. So passwords aren't enough. And people know that so we've resorted to doing things with multi-factor authentication to help secure our identities. So when it comes to authentication and multi-factor authentication, what are the factors that we're talking about? Well, there's knowledge, there's something that you know. Possession, something that you have. And inheritance or imprint, which is something that you are. And so things that you would know would be like a password, things that you have or something like a phone or a key. And things that you are biometric data, so that could be fingerprints, your face for face ID. And we're starting to get into more sophisticated methods here like voice recognition, like patterns in terms of like, this could be anything in the cadence of your voice to the way that you walk and those types of things. So a common example with this is something that uses two-factor authentication as a debit card and a pin. That is something that you have and something that you know. And on the internet, a way that we see this often is with a password and a one-time code that somebody sends to your phone. But let's talk about Reddit. What happened with Reddit is on August 1st of this year, Reddit announced that it had a security incident. And for anybody that works at a company that deals with security, I think Reddit's response to this was a really good way to demonstrate good security incident response. There are entire teams at larger companies that tend to deal with this kind of stuff. And I think Reddit did a really good job of kind of letting people know what happened and how they were taking steps to fix it. But on August 1st they announced that they were hacked and they announced that employee accounts were compromised. And the data that was stolen was stolen from cloud and source code hosting providers. So probably like GitHub and AWS. So the hackers may have gotten into really important stuff. You know, we store a lot of things on AWS and GitHub. Don't store secret keys in those places, if you can avoid it. But the interesting thing about this is that Reddit actually required 2FA for all of its employees. But they're working theory at this time, and I actually haven't followed up on this since, so I wonder if they've figured out anything more. But the working theory was that the employee accounts were compromised because the hackers were able to bypass the SMS-based 2FA. And so SMS is the most common type of 2FA for online identity management. And the factor in that case is the something that you have, which is your phone. But you might have heard some things about this. This is starting to get picked up in more popular culture about how SMS-based 2FA is not secure. And I just wanted to address that for a minute. Why this is seen as less secure. Probably because little guys like this are trying to hack into your computer. I don't even know anymore. So SMS-2FA is quote unquote bad, and I'll talk why about that. There's a lot of acronyms on this page. I'm gonna explain them. So the first reason that we talk about this is the SS7 vulnerabilities. And so does anybody have anybody heard of this? A couple of people, okay. So SS7 is signaling system seven. This did come after signaling system six. And so this is a telephony thing that's basically the way that two telephony providers talk to each other. And so this is especially common in cases of roaming. And so I have Verizon in the U.S. And so if I take my Verizon phone and go to Columbia, I am roaming on the Movistar network there. And so when I get down there, all of my texts that come through Verizon, Verizon says, hey, Movistar, we notice Kelly is down in Columbia. Can we send her text messages to you? Or vice versa, Movistar might say, hey, route her text messages to us. She's down here, we see her. And so one of the ways that this is vulnerable is that entire relationship is built on trust. And so people can either impersonate carriers or they can become their own fake carrier, which it turns out is not entirely impossible. And basically convince people that they are a different carrier and kind of interject themselves into that type of relationship to get your text messages routed to them. This is something that's been covered on like 60 minutes. It's a known vulnerability, but it's not entirely super common. It's not something that you're gonna see happen a lot unless you're a high-profile individual that people are explicitly trying to target, which is generally the case with most security things. But the other thing that does happen more often that is a little bit easier to do and makes you a little bit more vulnerable is this idea of SIM swapping. And so this is the case where somebody that was out to get you might call your mobile phone provider, in this case, my case, Verizon. And so if I had like a vengeful ex-boyfriend that wanted to come say like, hey, I need to like get into Kelly's phone, they would say, they would call up Verizon and say like, oh my gosh, you know, like Kelly lost her phone, she's traveling, I just need you to send her a new SIM card to my address because she lives with me or whatever. And basically if they socially engineer Verizon well enough or sometimes bribe Verizon to do this, there have been many people that work at telephone providers that have either admitted to being bribed or told people that people tried to bribe they can basically send a new SIM card with all of my information attached to it and then somebody else all of a sudden has control of all of my data, all of my number, like they are me for all intents and purposes. And so these are two pretty significant vulnerabilities that are available through SMS that make that a less secure form of multi-factor authentication. So what are we gonna do about this? Well, there are alternatives to SMS. We live in the future. Hopefully we won't have to be in this kind of like robot-based typing simulation but you know, I don't know what's gonna happen. So some of the alternatives that we have available to us are Yuba keys, which are the physical keys that you have, push authentication, which I'll talk about, and finally TOTP. So Yuba keys, does anybody here use these? We use these internally for our engineering team and so any kind of like employee-based accounts. Yep, this guy in the front has one. So this is something that it's, unless you have a physical Yuba key, you are unable to get onto the, you are unable to authenticate into the device and so these you generally use asymmetric cryptography and so there's a private key that's only on the Yuba key and then you have a public key that's associated with whatever server you're trying to authenticate with. So this is some kind of hardware token, push authentication, so this is something that when you try to log in, this is a software-based solution that requires some kind of app or SDK on your phone and so this is when you would try to log in, you can use this either for log in or transaction-based authentication, so if you're trying to send money to people, you can use this as another form of verification for that so the person will get a pop-up on their phone that says, was this you trying to do this and then you can either accept or deny that transaction. This is an interesting form of MFA because it's one of the only forms right now also provides the negative feedback and so you can actually use this information to try to target and pinpoint attacks if people are actually denying multiple requests that can give you information that somebody is trying to attack them which is not available with most of these other methods and finally TOTP, I think this is one that's starting to become a little bit more common with apps like Google Authenticator and Authy and so these are based on time-based one-time passwords and so one-time passwords as a concept is just that, it's a concept, so those are one-time tokens that can either be sent to you via text message or in this method where you have this kind of expiring token, this is interesting because this is standards-based and so there was actually an RFC for this that was standardized so that people would implement this in a similar way, so that anywhere that you see, like scan this QR code in Google Authenticator, you can use Microsoft Authenticator, you can use Duo, you can use Authy for that because these are all standards-based and they're all basically what they're doing is scanning a secret key onto your device and so you have a symmetric key on your device and the server that you can use to authenticate and let's walk through how that works. So there's an algorithm for this that's outlined in the standard and it's not really as complicated as it seems and so that secret key is what you get when you scan the QR code and then the other input into this algorithm is that current time and so that's where the time-based of this comes from and this is really interesting because those two inputs are not based on the current network and so this is one of the other forms of 2FA that's available offline and so this is a really good option to make available if you have people that are going to be either in foreign countries or if you're going to have something that people are on planes, this is a form of 2FA that you can use if you don't have access to the internet. So with those two inputs, you put them into a signing function, you hash that and then you truncate it to get back out that kind of six or seven digit readable number that somebody can use on the other end. So if you wanted to do this in Python, there are libraries available for doing this. So this is using PyOTP and so this is a one-time password library that has this kind of TOTP method available in it. There is also a hash-based or a HMAC-based one-time passwords or HOTP, which is another RFC standard. TOTP was an evolution on top of that and so you can do both of those methods with the PyOTP library and I think as you can see, there's only a few steps that you need to do in order to verify a number. There are some things that you can do in order to make sure that these don't get out of sync with each other. The only downside was using TOTPs that sometimes there are sync issues if your system times get unaligned but there are methods that are built into this library that allow you to kind of re-sync the two clocks on either side. There was a great talk at PyGotham from someone about how to use PyOTP and he goes into a lot more detail about how to use this library. Definitely recommend you check out that talk if you wanna learn more about this. But I do wanna talk about for a minute, don't roll your own crypto. Use libraries like PyOTP, Becrypt, the login methods in a lot of your favorite, in a lot of your favorite libraries and frameworks will have the crypto built into it and so you don't wanna do this stuff yourself. Use kind of like the well-accepted encryption schemes and login methods that have already been implemented for you because you don't wanna be responsible for being the one that messed that up. So let's talk about what this means for you or rather what it means for you in your website. So I do wanna focus this back on what we can do as web developers to kind of implement this and so let's look at what Reddit did and so what they're doing now is requiring token-based 2FA for employees to gain entry. So I don't know what this means exactly but it might be that they're using something like TOTP or they're using something like a Yubiqui in order for their employees to gain access to the accounts but something that's like less hackable than an SMS token. But this is going to depend on what you're trying to protect, right? Like I mentioned earlier that if you're a high-profile target, you're probably going to want to use more security to protect yourself or to protect your customers than you would otherwise. If you're coin-based, you wanna have a higher level of security for your consumers to get into their accounts than you do if you're like mom'sflowers.com. And so what they could do is a potential model for Reddit's 2FA is they could make their employees use token-based 2FA, they could require that. For somebody like moderators, you could require that they use 2FA of any kind and you're starting to get into the understanding of like what is motivating these people to turn this on and you wanna understand what it makes sense to have people use that doesn't make them angry about it, right? And so for people like employees, it's fine, you can require that because you're literally paying them. Like you have an IT department that can hand them that Yubiqui and say like you won't get your next paycheck unless you use this when you log in and that kind of stuff. So that's fine. Moderators are more invested in Reddit and so they're okay, they spend more time on the site and so they're okay with being forced to turn on 2FA. And then for everyone else, you can say make it optional. Maybe they don't want to turn on 2FA but if they're security-conscious people and don't want to have their accounts be more vulnerable, they can turn it on if they want. And you can take this model and you can apply it to other industries too and so I mentioned Coinbase, if you work in banking, you can start to tier this based on the type of accounts that you have. And so in banking, you could do it by account balance. If you're Twitter, you could do this like for verified users require token-based 2FA. For users with other like over 10,000 followers, you require 2FA. So you can start to think about how you would tier this for your business to understand what makes sense for your users. Basically, you want to model this in terms of like what the fraud is going to be worth to your company and what it's going to cost you if these different types of accounts get hacked. These are ways, there are ways that you can actually do that calculation. You can figure out what it's going to cost you if certain account types get taken over and this is a really common problem that you're going to have. But this does come down to like the risk profile of your business, of your users is specific to the business that you're in. And so like without talking to you and understanding what the business that you're in is, I can't give like a generic recommendation to everyone, except for the fact that like Yuba keys for people are usually right now at least only reasonable if you're working as like for requiring employee logins. And that is goes back to the fact that like you have an IT department that can hand somebody a Yuba key on their first day and like tell them how to use it. You know, even like somebody like Coinbase they're not necessarily going to be able to send one to all of their users because they don't know exactly who they are. And I finally want to mention that SMS-based 2FA is still better than no 2FA at all. We have a lot of people that end up using this because it's low friction. Everybody has a smart, like a phone at this point that can generally receive text messages. Even if they don't have a phone that can receive text messages they can usually still receive voice calls. And any of those other methods generally require some other type of hardware, a smartphone with an app. Even if people have smartphones they're not always willing to download an extra app to do this. And so the low friction aspect of this still makes people turn this on more often because they don't have to think about it as much. Android and iOS both support auto-filling from SMS-2FA now. iOS just released that and iOS 12. And so there's starting to be ways that the phone manufacturers are building this into their products because they understand that this is incredibly common. And generally we wanna avoid victim-blaming users. It's easy to tell people to use a password manager. I've done it. It's not bad advice but we generally wanna take the responsibility on ourselves to make our websites easier to use. Add reasonable password requirements if you can. Offer one-time passwords where it makes sense. One company that does this is Lyft does this. When you log into Lyft on mobile they actually text you a one-time password. I don't even know if you have a password associated with your Lyft account because every time that I need to log out and log back in they do that with a one-time code that they text you. And try to incorporate this as seamlessly as possible into the user experience for your MFA. So I hope I've sparked an interest in securing your users and given you an idea of just what kind of security you may need. Come find me after this or contact me if you have any questions. Once again, my name is Kelly Robinson and thank you for listening. Thank you Kelly.