SlideShare a Scribd company logo

2FA Best Practices

K
Kelley Robinson

The document discusses best practices for implementing two-factor authentication (2FA) using Authy. It covers why 2FA is important for security, different 2FA methods like SMS, push notifications, and time-based one-time passwords. The document also discusses potential issues with SMS 2FA, alternatives to SMS, onboarding users for 2FA, user experience with 2FA, and practical cryptography techniques used in 2FA apps like Authy. Several Twilio engineers provide insights into building phone verification at scale and preventing social engineering attacks using Twilio Flex.

Engineering
Related topics:
Multi-Factor Authentication
1 of 33
Downloaded 12 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
2FA BEST PRACTICES How to secure your applications with Authy TWILIOUSER&DEVELOPERCONFERENCE
KELLEY ROBINSON DEVELOPER EVANGELIST 2FA BEST PRACTICES How to secure your applications with Authy © 2018 TWILIO, INC. ALL RIGHTS RESERVED. FERDINAND PEREZ SOLUTIONS ARCHITECT
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. WHY 2FA?
haveibeenpw n ed. c om
2FA Best Practices
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. 2FA TERMINOLOGY
OTP (ONE TIME PASSWORD) • Generic term • Single use tokens, usually numeric © 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. WHY IS SMS 2FA "BAD"? • SS7 vulnerabilities • SIM swapping (social engineering) Link: The Post SS7 Future of 2FA
But it's not perfect SMS 2FA IS BETTER THAN NO 2FA © 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. SMS ALTERNATIVES
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. Push
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. TOTP (Time-based One Time Passwords)
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. 2FA ONBOARDING
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. 🔓SIGNED IN CONTENT🔓
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. 2FA USER EXPERIENCE
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED.
© 2018 TWILIO, INC. ALL RIGHTS RESERVED. ACCOUNT SECURITY SESSIONS AT SIGNAL
LUCAS VIDAL ENGINEERING MANAGER 2FA IMPLEMENTATION BEST PRACTICES © 2018 TWILIO, INC. ALL RIGHTS RESERVED. JOSH STAPLES SENIOR SALES ENGINEER Dive deeper into 2FA implementation
DAN KILLMER SALES ENGINEERING MANAGER BUILDING PHONE VERIFICATION AT SCALE Phone verification seems like a simple thing to build on Twilio right? Create a random code, send it via SMS and then check it? Not so fast!  © 2018 TWILIO, INC. ALL RIGHTS RESERVED.
SIMON THORPE DIRECTOR, PRODUCT MARKETING HOW TO AUTHENTICATE CALLERS AND PREVENT SOCIAL ENGINEERING ATTACKS USING TWILIO FLEX © 2018 TWILIO, INC. ALL RIGHTS RESERVED. JULIAN CANTILLO SOFTWARE ENGINEER With Twilio Flex, we have much more modern methods of authentication to simplify not only inbound, but also outbound calls.
KELLEY ROBINSON DEVELOPER EVANGELIST PRACTICAL CRYPTOGRAPHY Get an introduction to Public Key Cryptography and learn how Twilio uses it inside the Authy app. © 2018 TWILIO, INC. ALL RIGHTS RESERVED.
THANK YOU! TWILIOUSER&DEVELOPERCONFERENCE KELLEY ROBINSON KROBINSON@TWILIO.COM FERDINAND PEREZ FPEREZ@TWILIO.COM

More Related Content

PDF
Designing customer account recovery in a 2FA world
Kelley Robinson
 
PDF
Introduction to SHAKEN/STIR
Kelley Robinson
 
PDF
PSD2, SCA, WTF?
Kelley Robinson
 
PDF
Auth on the web: better authentication
Kelley Robinson
 
PDF
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
 
PDF
WebAuthn
Kelley Robinson
 
PDF
2FA in 2020 and Beyond
Kelley Robinson
 
PDF
Passwordless is Possible - How to Remove Passwords and Improve Security
SecureAuth
 
Designing customer account recovery in a 2FA world
Kelley Robinson
 
Introduction to SHAKEN/STIR
Kelley Robinson
 
PSD2, SCA, WTF?
Kelley Robinson
 
Auth on the web: better authentication
Kelley Robinson
 
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
 
WebAuthn
Kelley Robinson
 
2FA in 2020 and Beyond
Kelley Robinson
 
Passwordless is Possible - How to Remove Passwords and Improve Security
SecureAuth
 

What's hot (20)

PPTX
Passwordless auth
Lesha Bhansali
 
PDF
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
PDF
Managing Mobile Business Insecurities
Ping Identity
 
PDF
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
Ping Identity
 
PDF
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
PPTX
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure
 
PDF
5 Ways to Protect your Mobile Security
Lookout
 
PDF
Passwordless Authentication
Enterprise Management Associates
 
PPTX
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
PDF
2015 Mobile Security Trends: Are You Ready?
IBM Security
 
PDF
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
PDF
Top 7 Mobile Banking Security Tips
Quick Heal Technologies Ltd.
 
PDF
Mobile App Security Predictions 2019
NowSecure
 
PDF
2015 Cybersecurity Predictions
Lookout
 
PPTX
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
PDF
Mobile Security at the World Cup
Lookout
 
PPTX
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
PDF
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
IBM Security
 
PPTX
Top 2016 Mobile Security Threats and your Employees
Neil Kemp
 
Passwordless auth
Lesha Bhansali
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
Managing Mobile Business Insecurities
Ping Identity
 
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
Ping Identity
 
Mobile Security: The 5 Questions Modern Organizations Are Asking
Lookout
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure
 
5 Ways to Protect your Mobile Security
Lookout
 
Passwordless Authentication
Enterprise Management Associates
 
Outside the Office: Mobile Security
McKonly & Asbury, LLP
 
2015 Mobile Security Trends: Are You Ready?
IBM Security
 
New trends in Payments Security: NFC & Mobile
SISA Information Security Pvt.Ltd
 
Top 7 Mobile Banking Security Tips
Quick Heal Technologies Ltd.
 
Mobile App Security Predictions 2019
NowSecure
 
2015 Cybersecurity Predictions
Lookout
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
Mobile Security at the World Cup
Lookout
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
IBM Security
 
Top 2016 Mobile Security Threats and your Employees
Neil Kemp
 
Ad

Similar to 2FA Best Practices (20)

PDF
Effective 2FA - Part 1: the technical stuff
ConorGilsenan1
 
PDF
Two-Steps to Owning MFA
Sherrie Cowley & Dennis Taggart
 
PDF
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
ConorGilsenan1
 
PDF
Protecting your phone verification flow from fraud & abuse
Kelley Robinson
 
PDF
Shared responsibility model: Why and how to choose the right 2 fa method for ...
ConorGilsenan1
 
PDF
Authentication Beyond SMS
Kelley Robinson
 
PDF
2FA WTF
Kelley Robinson
 
PDF
2FA, WTF!?
Kelley Robinson
 
PPTX
Mobile Two Factor Authentication
Carter Rabasa
 
PPTX
New Opportunities with Two Factor Authentication (2FA) - A How To
Alan Percy
 
PDF
New Opportunities with Two Factor Authentication (2FA) - A How To
TelcoBridges Inc.
 
PPT
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
guestd1c15
 
PPTX
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
PPTX
Two factor authentication presentation mcit
mmubashirkhan
 
PDF
OWASP Global AppSec Dublin 2023 [T]OTPs are not as secure as you might believe
skantos
 
PDF
How to Implement Website Authentication By MyOtpApp
myotpappmarketing
 
PPSX
Welcome to the 3rd generation in user authentication
MarketingArrowECS_CZ
 
PPTX
Privileged Access Management (PAM): A Deep Dive into Modern Authentication: O...
Bert Blevins
 
PDF
Transecq ITA
transecq
 
PPTX
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
Bernard Toplak
 
Effective 2FA - Part 1: the technical stuff
ConorGilsenan1
 
Two-Steps to Owning MFA
Sherrie Cowley & Dennis Taggart
 
Two Factor Authentication (2FA) Deep Dive: How to Choose the Right Solution f...
ConorGilsenan1
 
Protecting your phone verification flow from fraud & abuse
Kelley Robinson
 
Shared responsibility model: Why and how to choose the right 2 fa method for ...
ConorGilsenan1
 
Authentication Beyond SMS
Kelley Robinson
 
2FA WTF
Kelley Robinson
 
2FA, WTF!?
Kelley Robinson
 
Mobile Two Factor Authentication
Carter Rabasa
 
New Opportunities with Two Factor Authentication (2FA) - A How To
Alan Percy
 
New Opportunities with Two Factor Authentication (2FA) - A How To
TelcoBridges Inc.
 
Mobey Forum Oslo Aradiom Presentation - How to Choose 2FA Security Solution
guestd1c15
 
Seminar-Two Factor Authentication
Dilip Kr. Jangir
 
Two factor authentication presentation mcit
mmubashirkhan
 
OWASP Global AppSec Dublin 2023 [T]OTPs are not as secure as you might believe
skantos
 
How to Implement Website Authentication By MyOtpApp
myotpappmarketing
 
Welcome to the 3rd generation in user authentication
MarketingArrowECS_CZ
 
Privileged Access Management (PAM): A Deep Dive into Modern Authentication: O...
Bert Blevins
 
Transecq ITA
transecq
 
Post password era - Bernard Toplak, OWASP Croatia Meetup 2016
Bernard Toplak
 
Ad

More from Kelley Robinson (19)

PDF
Preventing phone verification fraud (SMS pumping)
Kelley Robinson
 
PDF
Introduction to Public Key Cryptography
Kelley Robinson
 
PDF
Intro to SHAKEN/STIR
Kelley Robinson
 
PDF
Building a Better Scala Community
Kelley Robinson
 
PDF
BSides SF - Contact Center Authentication
Kelley Robinson
 
PDF
Communication @ Startups
Kelley Robinson
 
PDF
Contact Center Authentication
Kelley Robinson
 
PDF
BSides PDX - Threat Modeling Authentication
Kelley Robinson
 
PDF
SIGNAL - Practical Cryptography
Kelley Robinson
 
PDF
Practical Cryptography
Kelley Robinson
 
PDF
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PDF
Practical Cryptography
Kelley Robinson
 
PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PDF
2FA, OTP, WTF?
Kelley Robinson
 
PDF
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson
 
PDF
Demystifying Scala
Kelley Robinson
 
PDF
Functional Programming Essentials
Kelley Robinson
 
PDF
Why The Free Monad isn't Free
Kelley Robinson
 
Preventing phone verification fraud (SMS pumping)
Kelley Robinson
 
Introduction to Public Key Cryptography
Kelley Robinson
 
Intro to SHAKEN/STIR
Kelley Robinson
 
Building a Better Scala Community
Kelley Robinson
 
BSides SF - Contact Center Authentication
Kelley Robinson
 
Communication @ Startups
Kelley Robinson
 
Contact Center Authentication
Kelley Robinson
 
BSides PDX - Threat Modeling Authentication
Kelley Robinson
 
SIGNAL - Practical Cryptography
Kelley Robinson
 
Practical Cryptography
Kelley Robinson
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
Practical Cryptography
Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
2FA, OTP, WTF?
Kelley Robinson
 
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson
 
Demystifying Scala
Kelley Robinson
 
Functional Programming Essentials
Kelley Robinson
 
Why The Free Monad isn't Free
Kelley Robinson
 

Recently uploaded (20)

PPTX
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
PPTX
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PPT
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
PPTX
Geodesy 1.pptx...............................................
abhi1361yadav
 
PPT
Total quality management ppt for engineering students
juleeyadav818
 
DOCX
573137875-Attendance-Management-System-original
AYUSHMANAV
 
PPTX
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
PPTX
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
PDF
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
PDF
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
PPTX
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
null (2) bgfbg bfgb bfgb fbfg bfbgf b.pdf
Ramez Hosny
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PDF
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
PPTX
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
PDF
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
PPTX
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
PDF
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 
Safety Seminar civil to be ensured for safe working.
DILJEETKUMAR8
 
Fundamentals of safety and accident prevention -final (1).pptx
Palani kumar
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
Mechanical Engineering MATERIALS Selection
arsalanahmad705384
 
Geodesy 1.pptx...............................................
abhi1361yadav
 
Total quality management ppt for engineering students
juleeyadav818
 
573137875-Attendance-Management-System-original
AYUSHMANAV
 
6ME3A-Unit-II-Sensors and Actuators_Handouts.pptx
anukaranugi
 
M Tech Sem 1 Civil Engineering Environmental Sciences.pptx
ShriNRPrasad
 
Categorization of Factors Affecting Classification Algorithms Selection
IJDKP
 
Automation-in-Manufacturing-Chapter-Introduction.pdf
pcmth867
 
Fundamentals of Mechanical Engineering.pptx
MdMowdudAhmed
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
null (2) bgfbg bfgb bfgb fbfg bfbgf b.pdf
Ramez Hosny
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
BMEC211 - INTRODUCTION TO MECHATRONICS-1.pdf
ryankakungu
 
MET 305 2019 SCHEME MODULE 2 COMPLETE.pptx
VinayB68
 
Artificial Superintelligence (ASI) Alliance Vision Paper.pdf
SonaliPatil325517
 
UNIT-1 - COAL BASED THERMAL POWER PLANTS
Chandra Kumar S
 
R24 SURVEYING LAB MANUAL for civil enggi
MNANDITHACIVILSTAFF
 

2FA Best Practices