SlideShare a Scribd company logo

Auth on the web: better authentication

K
Kelley Robinson

The document discusses improving authentication on the web while reducing friction for users. It covers using biometric authentication, background signals from devices, and turning devices into authentication keys. The presenter recommends limiting stored data, using contextual data for step-up authentication, offering device authentication where possible, and planning for fallback options in case primary authentication fails. Overall, the goal is to make authentication secure yet easy for users.

Engineering
Related topics:
Biometric Authentication
1 of 40
Download to read offline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
Auth on the web: Better Authentication Kelley Robinson Account Security Developer Evangelist | Twilio
https:/ /twitter.com/jessitron/status/1425255150998937604
Friction Security
Friction Security
Friction Security Controls
Auth on the web: better authentication
Auth on the web: better authentication
Auth on the web: Better Authentication Kelley Robinson Account Security Developer Evangelist | Twilio
🐦 @KelleyRobinson 📍 Brooklyn, NY 🔐 Account Security @ Twilio 🥪 Home cook & sandwich enthusiast
👀 Biometric authentication 🌐 Background signals 📱 Devices as keys 💡 Recommendations AGENDA
It is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them. ” Cormac Herley, The Rational Rejection of Security Advice by Users (2009) ”
© 2019 TWILIO INC. ALL RIGHTS RESERVED. What is friction in account security? • Additional time or steps taken by the end user to prove their identity. • Decreases fraud and spam; helps ensure real users.
© 2019 TWILIO INC. ALL RIGHTS RESERVED. What is frictionless authentication? • Controls shifted from the end user to the application technology. • Requires less (or no) time or action from the end user.
👀 BIOMETRIC AUTHENTICATION
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 👀 Biometric authentication Something you are or do; an inherence factor
Examples CHARACTERISTICS iPhone Touch ID or Android face unlock VOICE RECOGNITION More often used in call centers KEYSTROKE DYNAMICS Behavior based analysis
😃 Pros • Everyone has access to what they are • Can't lose the factor* • Less concern for account recovery 🤔 Cons • Often per-device • Elevated risk of underlying data being targeted if using cloud storage • User privacy concerns • Documented bias in voice recognition models BIOMETRICS
https://www.nbcnews.com/think/opinion/remote-testing-monitored-ai-failing-students-forced-undergo-it-ncna1246769
https://www.nytimes.com/2020/03/23/technology/speech-recognition-bias-apple-amazon-google.html
https:/ /twitter.com/mholt6/status/1033809745755365376
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 👀 Biometric authentication Incredibly useful, as long as we build applications to use it responsibly
🌐 BACKGROUND SIGNALS
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Contextual data, often provided by the end user's platform or device 🌐 Background signals
Examples GEOLOCATION Used for authorization and more. HEADER ENRICHMENT AKA silent authentication sends device details like IMSI HISTORICAL BEHAVIOR Purchase history or usage patterns
BACKGROUND CHECKS 😃 Pros • Outliers are apparent with robust data • Basic checks are easy to implement 🤔 Cons • Outliers can be legitimate use cases • More complex analysis requires more data engineering • Privacy and regulatory concerns
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 🌐 Background signals A useful signal for step up authentication but not always a complete solution
📱 DEVICES AS KEYS
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 📱 Devices as keys Uses public key cryptography to turn your phone into a secure key
Examples WEBAUTHN Open standard for web authentication. Uses browser APIs (~90% supported). PUSH AUTHENTICATION Approve/deny framework similar to WebAuthn but built into a mobile or web application.
DEVICES AS KEYS 🤔 Cons • Per-device • Account recovery is challenging • Device support is not ubiquitous 😃 Pros • Can be a password replacement • Phishing & spoofing proof • Already using devices like our phones and computers every day
Limited authenticator availability for WebAuthn • Roaming authenticators are expensive • Platform authenticators are not ubiquitous
© 2019 TWILIO INC. ALL RIGHTS RESERVED. 📱 Devices as keys Excellent for heavy mobile usage companies. Will be more common as more devices become platform authenticators.
💡 RECOMMENDATIONS
Limit the data you need to store RECOMMENDATIONS
Use contextual data and behavior biometrics as background signals to trigger step up authentication RECOMMENDATIONS
Offer device authentication for users that can support it RECOMMENDATIONS
Embrace fallback options in case of lost devices or biometric glitches RECOMMENDATIONS
© 2019 TWILIO INC. ALL RIGHTS RESERVED. Open discussion • What do you do to decrease friction in your high risk transactions? • What tools do you wish existed for better authentication?
@kelleyrobinson THANK YOU krobinson@twilio.com
© 2019 TWILIO INC. ALL RIGHTS RESERVED. References • A usability study of five two-factor authentication methods • A Tale of Two Studies: The Best and Worst of YubiKey Usability • Google security exec: 'Passwords are dead' • Frictionless mobile authentication coming to the UK • A simpler and safer future — without passwords • The Rational Rejection of Security Advice by Users (2009) • Remote testing monitored by AI is failing the students forced to undergo it • There Is a Racial Divide in Speech-Recognition Systems, Researchers Say (Published 2020) • Yubikey 5 Series • https://caniuse.com/?search=webauthn • https://twitter.com/mholt6/status/1033809745755365376 • https://twitter.com/jessitron/status/1425255150998937604 • https://twitter.com/kelleyrobinson/status/ 1369385723615404033 • https://twil.io/webauthn • Photos: Unsplash

More Related Content

PDF
Designing customer account recovery in a 2FA world
Kelley Robinson
 
PDF
Introduction to SHAKEN/STIR
Kelley Robinson
 
PDF
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
 
PDF
2FA Best Practices
Kelley Robinson
 
PDF
PSD2, SCA, WTF?
Kelley Robinson
 
PDF
WebAuthn
Kelley Robinson
 
PDF
2FA in 2020 and Beyond
Kelley Robinson
 
PDF
Clear and Present Danger
Ping Identity
 
Designing customer account recovery in a 2FA world
Kelley Robinson
 
Introduction to SHAKEN/STIR
Kelley Robinson
 
Identiverse 2020 - Account Recovery with 2FA
Kelley Robinson
 
2FA Best Practices
Kelley Robinson
 
PSD2, SCA, WTF?
Kelley Robinson
 
WebAuthn
Kelley Robinson
 
2FA in 2020 and Beyond
Kelley Robinson
 
Clear and Present Danger
Ping Identity
 

What's hot (20)

PPTX
Passwordless auth
Lesha Bhansali
 
PDF
Passwordless is Possible - How to Remove Passwords and Improve Security
SecureAuth
 
PDF
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
PPTX
Managing Identity without Boundaries
Ping Identity
 
PPT
You Can't Spell Enterprise Security without MFA
Ping Identity
 
PDF
Managing Mobile Business Insecurities
Ping Identity
 
PDF
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
Ping Identity
 
PPTX
Connecting The Real World With The Virtual World
Ping Identity
 
PPTX
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure
 
PDF
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CloudIDSummit
 
PDF
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
PDF
Passwordless Authentication
Enterprise Management Associates
 
PPT
Identity-Defined Privacay & Security for Internet of Things
Ping Identity
 
PDF
The Case For Next Generation IAM
Patrick Harding
 
PDF
CIS14: Filling the “authentication goes here” Hole in Identity
CloudIDSummit
 
PPTX
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
PPTX
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
PPTX
Catalyst 2015: Patrick Harding
Ping Identity
 
PPTX
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
PDF
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
IBM Security
 
Passwordless auth
Lesha Bhansali
 
Passwordless is Possible - How to Remove Passwords and Improve Security
SecureAuth
 
HYPR: The Leading Provider of True Passwordless Security®
HYPR
 
Managing Identity without Boundaries
Ping Identity
 
You Can't Spell Enterprise Security without MFA
Ping Identity
 
Managing Mobile Business Insecurities
Ping Identity
 
How Aligned Are IT, Employees and Security Practices in Today's Mobile World?
Ping Identity
 
Connecting The Real World With The Virtual World
Ping Identity
 
Mobile Security - 2015 Wrap-up and 2016 Predictions
Skycure
 
CIS 2015-Putting Control Back in the Users’ Hands- David Pollington
CloudIDSummit
 
Hitchhikers Guide to the Identiverse - How Federated Business will Rule the W...
Ping Identity
 
Passwordless Authentication
Enterprise Management Associates
 
Identity-Defined Privacay & Security for Internet of Things
Ping Identity
 
The Case For Next Generation IAM
Patrick Harding
 
CIS14: Filling the “authentication goes here” Hole in Identity
CloudIDSummit
 
Securing Mobile Banking Apps - You Are Only as Strong as Your Weakest Link
IBM Security
 
Webinar: Beyond Two-Factor: Secure Access Control for Office 365
SecureAuth
 
Catalyst 2015: Patrick Harding
Ping Identity
 
The ROI on Intrusion Prevention: Protecting Both Your Network & Investment
IBM Security
 
The Next Stage of Fraud Protection: IBM Security Trusteer Fraud Protection Suite
IBM Security
 
Ad

Similar to Auth on the web: better authentication (20)

PPTX
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 
PDF
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QAFest
 
PDF
Brafton White Paper Example
Kayla Perry
 
PPTX
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
PPTX
Hardware Authentication
Coder Tech
 
PDF
Making User Authentication More Usable
Jim Fenton
 
PPTX
Authentifusion: Clarifying the Future of Customer Authentication
Michael Thelander
 
PDF
Access Control
Waseem Hamid Hussain
 
PDF
Authentication.Next
Mark Diodati
 
PDF
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
PPTX
Digital authentication
allanh0526
 
PDF
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
PDF
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
ensuritytech1
 
PDF
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Rob Dudley
 
PDF
Web Authn & Security Keys: Unlocking the Key to Authentication
FIDO Alliance
 
PPTX
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
PDF
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Duo Security
 
PPTX
Two factor authentication 2018
Will Adams
 
PDF
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
PDF
#MFSummit2016 Secure: Mind the gap strengthening the information security model
Micro Focus
 
Діана Пінчук "Як відрізнити авторизацію від аутентифікації та перестати бояти...
Dakiry
 
QA Fest 2019. Диана Пинчук. Тестирование аутентификации и авторизации (AuthN ...
QAFest
 
Brafton White Paper Example
Kayla Perry
 
Passwords are passé. WebAuthn is simpler, stronger and ready to go
Michael Furman
 
Hardware Authentication
Coder Tech
 
Making User Authentication More Usable
Jim Fenton
 
Authentifusion: Clarifying the Future of Customer Authentication
Michael Thelander
 
Access Control
Waseem Hamid Hussain
 
Authentication.Next
Mark Diodati
 
Securing a Web App with Passwordless Web Authentication
FIDO Alliance
 
Digital authentication
allanh0526
 
AuthN & AuthZ testing: it’s not only about the login form
Diana Pinchuk
 
Eliminate Password Fatigue with Smart Authentication Solutions.pdf
ensuritytech1
 
Secure All Teh Things - Add 2 factor authentication to your own CFML projects
Rob Dudley
 
Web Authn & Security Keys: Unlocking the Key to Authentication
FIDO Alliance
 
WebAuthn - The End of the Password As We Know It?
Thomas Konrad
 
Forrester and Duo Security Webinar - 5 Signs You're Doing Authentication Wrong
Duo Security
 
Two factor authentication 2018
Will Adams
 
Two-factor authentication- A sample writing _Zaman
Asad Zaman
 
#MFSummit2016 Secure: Mind the gap strengthening the information security model
Micro Focus
 
Ad

More from Kelley Robinson (20)

PDF
Protecting your phone verification flow from fraud & abuse
Kelley Robinson
 
PDF
Preventing phone verification fraud (SMS pumping)
Kelley Robinson
 
PDF
Introduction to Public Key Cryptography
Kelley Robinson
 
PDF
Intro to SHAKEN/STIR
Kelley Robinson
 
PDF
Building a Better Scala Community
Kelley Robinson
 
PDF
BSides SF - Contact Center Authentication
Kelley Robinson
 
PDF
Communication @ Startups
Kelley Robinson
 
PDF
Contact Center Authentication
Kelley Robinson
 
PDF
Authentication Beyond SMS
Kelley Robinson
 
PDF
BSides PDX - Threat Modeling Authentication
Kelley Robinson
 
PDF
SIGNAL - Practical Cryptography
Kelley Robinson
 
PDF
Practical Cryptography
Kelley Robinson
 
PDF
2FA, WTF!?
Kelley Robinson
 
PDF
2FA WTF
Kelley Robinson
 
PDF
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PDF
Practical Cryptography
Kelley Robinson
 
PDF
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
PDF
2FA, OTP, WTF?
Kelley Robinson
 
PDF
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson
 
Protecting your phone verification flow from fraud & abuse
Kelley Robinson
 
Preventing phone verification fraud (SMS pumping)
Kelley Robinson
 
Introduction to Public Key Cryptography
Kelley Robinson
 
Intro to SHAKEN/STIR
Kelley Robinson
 
Building a Better Scala Community
Kelley Robinson
 
BSides SF - Contact Center Authentication
Kelley Robinson
 
Communication @ Startups
Kelley Robinson
 
Contact Center Authentication
Kelley Robinson
 
Authentication Beyond SMS
Kelley Robinson
 
BSides PDX - Threat Modeling Authentication
Kelley Robinson
 
SIGNAL - Practical Cryptography
Kelley Robinson
 
Practical Cryptography
Kelley Robinson
 
2FA, WTF!?
Kelley Robinson
 
2FA WTF
Kelley Robinson
 
Analyzing Pwned Passwords with Spark - OWASP Meetup July 2018
Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
Practical Cryptography
Kelley Robinson
 
Analyzing Pwned Passwords with Spark and Scala
Kelley Robinson
 
2FA, OTP, WTF?
Kelley Robinson
 
Forget what you think you know: Redefining functional programming for Scala
Kelley Robinson
 

Recently uploaded (20)

PPTX
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
DOCX
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
PDF
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
PPTX
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
PPTX
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
PPTX
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
PDF
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
PPT
Project quality management in manufacturing
BarMusaTetik
 
PPTX
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
PPTX
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
PDF
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
PDF
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
PDF
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
PPTX
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
PDF
Well-logging-methods_new................
ZafriFarid
 
PPTX
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
PDF
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PDF
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
PPTX
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
PDF
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 
Foundation to blockchain - A guide to Blockchain Tech
Davies Chacko
 
ASol_English-Language-Literature-Set-1-27-02-2023-converted.docx
AYUSHMANAV
 
Operating System & Kernel Study Guide-1 - converted.pdf
mranoninvisib16
 
bas. eng. economics group 4 presentation 1.pptx
kiribakimoses1993
 
CYBER-CRIMES AND SECURITY A guide to understanding
Davies Chacko
 
CH1 Production IntroductoryConcepts.pptx
RacemMellouli1
 
Mohammad Mahdi Farshadian CV - Prospective PhD Student 2026
Educational Group Mohammad Farshadian
 
Project quality management in manufacturing
BarMusaTetik
 
Engineering Ethics, Safety and Environment [Autosaved] (1).pptx
MehrabTaseenTalukder
 
CARTOGRAPHY AND GEOINFORMATION VISUALIZATION chapter1 NPTE (2).pptx
abhi1361yadav
 
TFEC-4-2020-Design-Guide-for-Timber-Roof-Trusses.pdf
AinieButt1
 
Embodied AI: Ushering in the Next Era of Intelligent Systems
Yu Huang
 
Model Code of Practice - Construction Work - 21102022 .pdf
AinieButt1
 
Lecture Notes Electrical Wiring System Components
eedgecbhojpur
 
Well-logging-methods_new................
ZafriFarid
 
MCN 401 KTU-2019-PPE KITS-MODULE 2.pptx
VinayB68
 
The CXO Playbook 2025 – Future-Ready Strategies for C-Suite Leaders Cerebrai...
Cerebraix Technologies
 
PRIZ Academy - 9 Windows Thinking Where to Invest Today to Win Tomorrow.pdf
PRIZ Guru
 
IOT PPTs Week 10 Lecture Material.pptx of NPTEL Smart Cities contd
ssusera400e8
 
keyrequirementskkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkkk
mojeeburahmanwardak
 

Auth on the web: better authentication