From Burden to Solution: Reframing MFA

Um, can y'all hear me? Okay, or do I need to use a mic? >> All right, perfect. So, reframing multiffactor authentication in contemporary cyber security. This is not the original title. The original title was how to talk about MFA without sounding like a douche. I decided I couldn't put that on a presentation title. But that's kind of the intent of where we're going. So, oh man, my little controller went to sleep. It's always something. All right, so just a quick overview of what we're going to be talking about. Yeah, I got I had to get the mess up out of the way. Um, so we're going to be going through what MFA is, just a brief overview, the

current state of adoption, what can be done, our responsibility as a community, both professional and non-professional, some example best practices, and then examples from my career because otherwise you don't have to trust anything I say. But before we get into all of that, I feel like there are some necessary disclaimers. A when talking at any cyber security event, but B when talking at uh about a topic like multiffactor authentication, I'm not a multiffactor authentication expert. There are tons of people that know tons more about how all the different methods work, about the implementation of ph2, how pass keys work, and I can understand, I can talk with it. For me, I've deployed it hundreds of times at this point to tens

of thousands of end users, but I'm not claiming to be an expert on the software. And this is not an exhaustive discussion. There are tons of things we can talk about with MFA. This is just a small bit of it and specifically not a discussion on which methods are best. For the purpose of this talk, the goal is any multiffactor authentication, but ideally strong authentication. So trying to go at least a step above texting and emailing please and getting into things like timebased one-time passwords or better 502 keys, hardware tokens, pass keys, whatever we can do. The final bit of the disclaimer is there has to be some element of trust because we are at a cyber security conference.

So to that point, this is a rick roll. You are welcome to scan it. You do not need to. Every other QR code that I show is just at the end and has URLs with it. But just in case anyone wants a laugh, we'll get that out of the way. So, I come from quite a varied background. Um, I am a competitive West Coast swing dancer. Um, recently moved to Raleigh primarily for the dance, but it's also a great area for technology. I also played disc golf quite badly. I think anyone who plays disc golf and thinks they're good is either professional or lying. Um, and then recently I started working at Red Hat as well as a consultant uh

working with uh mostly uh telekcom customers. So now that we got that out of the way, hopefully we're all at least familiar a little bit with MFA with multiffactor authentication. So it is hard to create or define a definition because it's a term. It's not a word by itself, but I was able to come up with one. Multiffactor authentication. It's a noun meaning a security method that requires users to provide two or more verification factors to gain access to an account, application, or system. Again, not a real word, not a real definition, but it's something we're going with. However, that's a little bit wordy, a little bit caught up. So, I asked my fiance uh roughly 900 p.m. on a

Sunday what multiffactor authentication is. and she said, "That's the thing where a program texts you a code to get in." I mean, honestly, that's not that bad of a definition, especially when we're talking about what multiffactor authentication is seen as. Now, before we dig into the perception of multiffactor authentication, I want to go ahead and and get some of the technical or leg like logistic side of it out of the way. So, who is familiar with the term the three factors of MFA? We got like five people that have raised hands. So we'll go ahead and break it down. So it is something you have, something you know, and something you are. And for multiffactor

authentication, ideally we want to be combining at least two of these at any given point. So for something you know, this is things like passwords, pins, or security questions and answers. things that you know kind of intuitive for something you have. It gets a little bit more blurry, but this is things like mobile phones or authentication apps or hardware tokens. If you're familiar with like RSA keys or Yuba Keys, anyone here use a Yuba key. They rock. Heavily recommend them. Not a sponsorship. Just think they're really neat. And then finally, something you are. Now, you could argue that all of these are also things that you have like fingerprints or your face. Uh, but as

far as we're concerned with breaking it down, these are things that you are that someone else can't take from you. So, for any good implementation of MFA, we want to use at least two of these. Whether it's combining a password and a notification from an app or whether it's combining a security token and a PIN for said token like what we often use with UBI keys. We want to be some balance there. So now that we've got the kind of technical what is MFA out of the way, we can talk about the current perception of multiffactor authentication. Now, there are a lot of studies and I've got a GitHub repo that I'll share at the end

that has a lot of these studies linked uh as well as some of the articles if you're curious about reading them. But I went ahead and did a I had um an AI review made of all of them summarizing them. Then I took that and made a word map trying to get it as simple as possible and it's kind of telling. Annoying was the number one word and this was backed up in several reports that I saw leveraging Twitter comments, leveraging re uh surveys to users. Annoying is the number one thing in the perception of multiffactor authentication. And honestly, they're not wrong. So why do we have this negative perception currently? Well, just like with any

software, especially coming from Red Hat, I have to say it, we innovate and iterate. We constantly are changing things. We're building off what we've learned. But what that means is that we aren't starting with the best. We start with whatever the bare minimum was. So, at some point, it was just a username and password and then we realized, oh, hey, someone can really easily steal that. So, then it became common to get an email based off of, you know, your sign in. And then we upgrade the text and so on and so forth. So gradual public release was the first and most major cause of the negative perception because just as soon as users are

beginning to adopt it be beginning to become comfortable with a method of multiffactor authentication. Sorry that's not secure anymore. You have to do this new thing instead which leads to it being viewed as a hindrance. And speaking objectively it is a hindrance. Multiffactor authentication is by definition adding an extra step to the sign-in process. So that makes sense. And then another, and this is very recent, SMS is considered secure. Uh, out of curiosity, anyone know how much it costs to get access to a cell tower for 6 months? Like root access to a cell tower? >> Dead on the money. $6,000 is the average growing rate of six months of access to a cell tower. With a cell tower, you can

then say, "Oh, that number's roaming." And as long as it hits your, you know, that network first, any text to send to that number will get redirected wherever you tell them because it's roaming. And then you can then pass it on to the actual person. That's not a lot of money and that's not hard to do, especially with spear fishing attacks. SMS is not a secure method. But how many of you are Twitter blue subscribers? Don't if you if you are, you don't have to own up to it. It's okay. But with Twitter, one of the big things is if you want to upgrade to the more secure method of authentication, text, you can be a Twitter blue subscriber.

Otherwise, you're limited to one-time passwords through an app like Google Authenticator. That's the more secure method, but it's gotten to the point where people are willing to pay $5 a month to get texts instead because it seems more secure. We were told, "Oh, you can't do email because emails can be hacked and all of that. you should do text because your phone's always on you. So, right now we have this major push back because SMS is considered secure. So, what has been done to combat this so far? Well, there have been some efforts to promote multiffactor authentication adoption. One of the biggest is there's been public awareness campaigns. Now, those are immediately pushed back on by

things like Twitter saying SMS is secure. But there have been some efforts to do that both by security companies and by companies like Microsoft and Google who want to leverage the fact that they have good authentication methods. There's also now platforms requiring MFA by default. If you've signed up for Microsoft 365 recently or had to create a new account, you'll know that as soon as you sign in for the first time, it says, "Great, put in your phone number. will send you a text. Now, it also then says, "Thanks for the text. Here's the link to download the app that you have to use instead." So, there's some issue with that, but it's at least progress,

which is that next step. MFA setup's now integrated into onboarding for a lot of platforms. And hopefully for anyone who's a managed services provider or is a thirdparty vendor, something like that, it's something we all should be doing at user onboarding is making sure multiffactor authentication is pushed and set up correctly. Lastly, there's some innovations aimed at improving the user experience. Things like just calling out Microsoft again for doing a good thing. The Microsoft authenticator now has a QR codebased pass key where the QR code pops up on the screen. You pull out your phone, scan it, and that's it because you unlocked your phone. That's something you are, your fingerprint or face, and it's something you have. The phone

itself, that's two methods. That's all it takes. And then it uses Bluetooth to say, "Yeah, I'm buy the computer." So, we have some really good stuff. It's just not necessarily in customers hands right now or in users hands. Which gets to the next the challenges faced by promoters. There's a lot of people, a lot of cyber security professionals, a lot of regular tech professionals who are saying we need MFA, but the biggest push back right now is user fatigue or MFA fatigue. This is constant because it's been beaten over the head so much. People will do anything they can to get out of having to take that extra step. I mean, I'm sure at least some of us are guilty of

it. I mean, I'll own up to have done this before where I'm using a browser plugin to store my multiffactor authentication that also does my password storing and so it will, you know, fill my passwords for me and then when it pops up the prompt for the six digits, it autofills that, too. Except that's not actually MFA anymore. I just took MFA and distilled it down to if my computer's unlocked, you can sign into everything. So user fatigue or MFA [clears throat] fatigue is absolutely miserable and a constant challenge to push back against. And there's also some usability issues. Those exact same browser plugins that can help also kind of make it miserable sometimes. There's

constant different recommendations. And if you work in, you know, a law firm or a doctor's office, you have to be there for like a day at most before you hear someone say, "Oh, if you're going to be setting it up, you should do this." and talk about a less secure method to do it that's easier. Which is why we have misinformation issues because everyone's trying to get through that hurdle, get through the thing that's miserable to just do their job, to just be able to do whatever it is they're trying to sign on the account to do. Whether it's your Bank of America account or Delta trying to get your flight information figured out because

you're able to put your Sky Miles number in, but then when you went to sign on, password doesn't work anymore because you're an idiot. forgot it and saved it on a different computer. There's all sorts of stuff going on that are these constant barriers. And I actually had to add one more point after a recent event I was at, which is accessibility. And this wasn't one that I knew about because I don't have a disability that causes me to have impairments when it comes to multiffactor authentication. But for someone who's visually impaired or even in some cases for color blindness and for other impairments, there's not a lot of good options right now with multiffactor authentication.

Now if any of you have used uh Google messages for web that uses emoji based authentication that's actually a accessible method of multiffactor authentication match the emoji shown on your phone is shape agnostic color agnostic you don't have to be able to read to be able to do it you just have to be able to match the design so there is some good efforts there but this after a recent call out that's something that I've been seeing as And then we have two others, security trade-offs and organizational resistance. Uh does anyone know? It's not a real thing, but the layer zero of the seven layer networking model. Anyone familiar? It's the fi the financial layer

because nothing's happening if the money's not there. So there's always this constant balance as professionals of organizational push back and the security trade-off trying to figure out the best bang for the buck trying to convince the CISO or the CTO or whomever or just that one random seuite user that is really set on just getting it through text to their phone because that's what's secure because Twitter told them so. So what can we do? This is kind of where it gets into the nitty-gritty and kind of sometimes the depressing bit. But there are still some remaining gaps in the public perception of multiffactor authentication. There's a lack of understanding of its importance. Again, it's seen as a hindrance.

There's a belief that it's complicated or unnecessary because it is complicated. And sometimes, very rarely, it is unnecessary. Well, I'll I'll put a a modicum of belief there. There's privacy and trust concerns. I mean, I can't tell you how many times I've heard someone say, "I don't want to use the fingerprint because I don't want Apple to have my fingerprint," or, "I'm not gonna do that because I don't want Google to have my fingerprint or whatever." That's not how that works. And the problem is, as soon as you start telling someone, "Oh, well, actually, that's used for authentication locally on your device, it's not making sure that the third party has it. It's the device saying that the same person who

set up the fingerprint is the one who's currently doing the thing." And they're going to tune out immediately. And not only that, they're going to become kind of annoyed at you for knowing more than they do. So that is an actual concern. And then there's limited support for users facing issues. My mom's in the front row. I can't tell you how many times she's called me because American Airlines or whomever is locked her out because she didn't have something set up. Nothing on you. It's just miserable sometimes. And so I'm the support for her. I'm glad to do it. But not everyone has a son who's happy to help out. [laughter] And instead, we end up, you know, trying

our best, but there's Googling and there's people who think they found the support number for Apple because they found it on a website and the person was able to help get remoted into their computer. Hate hearing that. So, how can we reframe these challenges? Well, we start by emphasizing personal empowerment and convenience over security mandates. That's a really technical way to say we can start teaching people actually how to do it. We can teach them the technical side of it, but most of the people who need MFA are not the ones who care about the technical side of it. There's a uh expression used in Boy Scouts, in Girl Scouts, in venture scouts, which is uh

the edge method of education, which is explain, demonstrate, guide, and enable. You need to explain how to do it, demonstrate how it's done, guide them through the process, and then full understanding has happened when they can walk someone else through that process. So, we need to start empowering other people to be able to do that same thing. You don't need to understand the technical side of it to understand how to use something like a Ubi key, which is way more secure than text authentication. We start to use real world scenarios to show its practical beliefs because we can talk about why it's important. We can talk about, oh well, this method does this, but what's really going to

show is when we say, hey, did you see in the news this company was, you know, they had this access or a a threat actor gained access to this thing? Well, I don't know how many of y'all watched the uh Simply Cyber uh daily news report, but there was a couple of companies that were uh had vulnerabilities the other day, and across the board, not a single one of them had MFA set up. We should all be doing that at this point. But those both positive and negative, you can use those real world examples. Hey, did you see the news about, you know, company X? it looks like they didn't have multiffactor and someone found a password saved online

and was able to get access to a whole bunch of stuff they shouldn't. We can also frame as a proactive step. MFA is not something you put on. It's not a band-aid that you put on after you've been cut. It's the protective armor you put on so you don't get cut. It doesn't do anything once someone's already attacked or once something's already vulnerable. So we need to begin and continue because a lot of cases we are doing this well but we need to be continuous about framing multiffactor authentication as something we do to prevent the issue otherwise you'll end up with the whole well I didn't have it before and it was fine so obviously I

don't need it now I just need to get my account back and then I'll be fine no that's not how it works but the only way to do that is by talking about it ahead of time and then the last way that we can well the next last way I can refra we can refrain these challenges is to stress the positive impact of MFA on what we're doing daily. So I asked before about who had keys compared to a text to your phone. Do you all think a Ubi key is easier to use? I saw two nods, one maybe one no. So I feel like that's a pretty fair assessment. So with something like a UI

key or with a pass key, you can view it either way. If it's set up really well and if it's a environment that sports pass keys, it can be a positive thing. It can be potentially easier than having to look and type in numbers. It can also be a negative thing. It can be something that's an extra step that's worse because now you got to take your keys out of your pocket. I know one of my friends leaves his he's got the little micro in. He leaves it plugged in all the time. You know, kind of falls back in the same one factor authentication, but you know what? It's at least a step in the right direction.

So, we need to be stressing the positive impact they can have. It can potentially be easier. The QR code thing from Microsoft incredibly easy to use once it's set up. But there is a single most important thing that we need to be doing to reframe all of this. We need to be tailoring our messaging to the audience's needs. If we're talking with professionals, yeah, you know, we know how to talk to other cyber security folks about MFA. We usually just don't because we're ashamed that we're not doing enough. But we need to be tailoring to technical users, to business owners, to non-technical users, and adjust our conversation each way. So what would that look like in practice?

Well, for non-technical users, using visual metaphors, things like talking about uh a two lock system on a door or in some cases a lock and then your alarm system once you get in. These are great metaphors because there's nothing technical in the description, but it tells you exactly what you're doing. And the more effort you put into the metaphor, the more accurate you can get it and ideally in less words. We can also focus on step-by-step walkthroughs. I'm sure some of you all have seen the thing or maybe even done it with your kids where you have them write down the steps of making a peanut butter and jelly sandwich and then you follow exactly what they wrote. could be kind

of funny sometimes like putting the knife in the peanut butter and you just full-on drop the knife into the peanut butter. But that's a great exercise for when we're talking with nontechnical users because we need to be able to give a step by step of what they actually do regardless of an understanding of why they're doing it or how it's being done because that's what's actually needed. And we can do that presenting things in a story format talking about well we're doing this to bring this about to cause this to stop this from happening giving a narrative explanation rather than a technical explanation. We can also relate to everyday tools, comparing it to the stuff that they're

already using, comparing a, you know, server that they're accessing to the printer down the hall because they know how to access the printer and they know why it's important that they have to put their PIN in on the printer to get their prints that no one else does, but they don't understand why they have to use MFA every time when they're accessing the FTP server. So, it's that same kind of process of relating it to the things they already use. Now when we switch to talking with business leaders this process changes. So instead the number one thing when you're talking with a business user how many of you are familiar with the term bau not from criminal mindsual

>> business as usual. So again for me every time I hear it I still think BAU from criminal minds the behavioral analysis unit. But BAU is a term commonly used to mean business as usual. things happening how they're supposed to be happening. And the number one thing when you're talking about multiffactor authentication with anyone who's, you know, seuite or who's a controller or anything like that, you need to talk about continuing business as usual because they don't care a lot of times. They don't care about the money. They don't care about the technical side of it. They don't care about the security. What they care about is that it won't interrupt or cause a halt to their

current business. We have to emphasize maintaining trust. This one's a little bit easier because we can compare it to current cyber security issues to the trust lost when so and so gets hacked and we need to highlight protecting assets because at the end of the day both of those two points tie in to continuing business as usual. Now for technical audiences we need to do basically the opposite of everything I've been advocating for so far in this presentation. We want to highlight advancements, identify security integrations, leverage existing convers or technologies, and leave room for them to take the lead. If someone is highly technical, honestly, if someone's very knowledgeable in anything, they want to talk about the thing they're

knowledgeable in. There's a whole game show called um actually where you're where the goal is to correct incorrect statements by going um actually. Tech people are not that different. We want to talk about the things we're passionate about. So if you're talking with someone who's, you know, a leader on the security team or a leader, you know, CIS admin in whatever environment, there's something in that environment that they're proud of or hate but enjoy hating. But there's always something. So we want to tie into that. We want to let them take the lead. We want to engage them in conversation because they want to talk about the technical stuff. But that is only this one use case. aside

from technical audiences, we want to be talking about it in the way that's going to work best for that person. And we don't need to talk about the technical aspect. So, I've talked about what we can do and and what the current state is, but what is our actual role? What's our our responsibility? Because at an event like this, you have a range from people who are new to technology or all the way to people who've been hacking, you know, IBM mainframes since before I was born. So what's our responsibility in changing this perception? Well, the first one kind of tying into the communicating the good and the bad is we need to model the best practices

and articulate the benefits of multiffactor authentication. We need to be actually talking about it and practicing what we preach because if you're, you know, recommending a pass key to someone, you know, on your phone or something and then to sign in, you're getting texts and typing in the code, sorry, you kind of lost some of your credibility. And the minute they see that, because they will at some point see that, you've now planted that seed of doubt because it's reinforcing what they're being told by Twitter, what they already thought to be true because at one point SMS was a secure method allegedly. We have to share our experiences. And this isn't just good. We have to also

share the bad experiences because multiffactor authentication is sucky sometimes. We need to develop and promote solutions that we can that are user centric things where we're not just saying oh well this is the best technical aspect or oh this is the most secure aspect but we want to actually be thinking for the end user what is this process going to look like. If we want to deploy, you know, QR codebased pass keys, well, that does require everyone to have a phone that can support it and be confident enough using that phone that they would actually know how to do that or know how to set it up. And if you really still want to do it, you then need to provide

training for it. So, we need to focus on the user as part of the solution. And then we need to inspire voluntary adoption, people wanting the solution through stories of positive impact. This doesn't have to be from us, but I've seen plenty of times where corporate newsletter has been weaponized almost to deliver stories of multiffactor authentication making things easier or to deliver horror stories of not having it making it worse. But the goal of that wasn't just to teach people how it's done or teach people. I mean, most people don't read past the headline if it's something like that, but at least gets the thought in there of, hey, maybe there is something better, which all just kind of sums up with us

being the example. Whether this is your personal, whether this is your company, whether this is just in talks or tweets or whatever, we need to implement and advocate for MFA ourselves. um and then talk to each other. That's bit of a silly point, but we actually have to talk with each other about this. But that does tie into our next and again disclaimer, I still work at Red Hat. I started at the beginning of this conversation, but I haven't left yet. Uh feedback loops are a way to foster innovation through iteration. So, we need to implement regular feedback within the community. So this can be technical, but much more often it's as simple as a survey saying,

"Hey, how was that experience?" If you roll out a new authentication method, you know, wait 3 weeks and then send out a couple of surveys just saying, "Hey, did you have any issues?" because you don't want a checkbox of was this a good experience or something like that because people will either hit yes or no based off what they think they should hit. But you want to get honest feedback of what did you have an issue with or was there any issues you ran into things that we can start to engage in actual conversation even if it's worse for business because that's how we can improve and then we can again iterate and innovate on that process.

And then kind of the last thing of of our responsibility is that success story sharing, highlighting examples of multiffactor authentication, protecting against breaches, using real world examples for training with the goal of all of it to be making its benefits tangible, making it something that isn't technical, but is it something that people can understand when they are actually faced with the conversation. So what are some best practices when we're going through this? Well, we can provide clear onboarding instruction, continuous support, making sure that it's accessible, that it's understandable. When we can do that, we can integrate MFA smoothly into our current processes. These are things that kind of using what we've already talked about a little bit

is the goal we can set. Whether it's setting up good systems or building good software, we can highlight industry trends. Password list has been a hot topic for a while now, but most companies still don't have a way to implement it well. But things like starting the conversation with passwordless, even if that's not the solution you go with, can at least get people, especially technical users, engaged in the conversation. with the end goal at all of it being to minimize that setup friction to try to address those pain points to get it as simple as possible to get everyone up to that minimum level of security. So when we're communicating with users, when we're talking about it, we want to

make sure we're being empathetic because yes, it does suck. So we want to acknowledge that frustration. We want to keep facts targeted. We want to keep it focused on the importance using things like MFA, mythbusting articles. I've personally written a ton of internal articles for newsletters. Spaced repetition is important. Please don't go send a whole blast of like 15 emails. And we can use success stories in that. We can even, and as cringey as it is, we can leverage things like social media platforms to actually talk about MFA. I think probably most of my Twitter posts about it have been complaining but even that is still there's an element of truth there. So for some examples because again I try

to practice what I preach. So I've had a couple of different methods when actually talk about adoption. So I've mentioned them a couple of times but UBI keys were something where I was leveraging it as a positive experience. So we rolled out Ubi Keys to one team on one floor of a multi-ity business. They had like a couple of full like office towers in a couple of major cities. Um and we did one team roughly center of the building, one of the more talkative like marketing teams. Um and set them up with UBI keys. And previously they had been using uh one-time passwords and we set them up with the the QR based pass keys. Um, and our goal was to kind of

ease the company into it. Now, my actual goal was FOMO, the fear of missing out because what happened as we're rolling this out, they began to go, "Oh, this is a little bit easier." Especially the ones that we would set up uh with Ubi keys where you could tap them instead of plugging them in. whole lot easier because now they didn't have to pull out their phone which they already there was some push back because people don't want stuff on their personal phone. Perfectly viable. But then other teams within the same company in the same floor began to go, "Oh, they have something that's cool because it is it's interesting. It's different." And so the fear of missing

out began to foster. So within two weeks, we then opened up enrollment for the whole office. And we had the majority of the office, like 60% of the office reach out to get access. And within six months, we had 80% of the company using UB Keys. This was done office by office, but they began to hear, "Oh, hey, it's so much easier. Just reach out. Just put in this service now ticket and they'll get you set up." This was something very positive that was a really easy to do. That's so fun. Oh my goodness. [laughter] It's like being at a wrestling match. and it was really easy to do, but it doesn't always work. So, we get to the

other side, negative reinforcement. So, for those who aren't familiar, RSA tokens are a lot like Ubi keys, but rather than being something you plug in it, you hit a little button, it shows six numbers just like you would in your phone, but they go in your keychain. They're bigger and more annoying in my opinion. Um, so this was a company that we rolled out um still Microsoft Authenticator, but this one was just with the regular push notification. and you enter the two numbers, still perfectly solid. And we had eight users that said they couldn't download the app on their phone, whatever. It's 2024 at that point, but sure. So, we provided timebased onetime password hardware tokens. Uh, and we

assigned additional training and how to use them and what that actually looks like. And then we created a service now option for them to go in and request an upgrade to the app for anyone who has the token. Well, uh, within two weeks, five of those eight users had miraculously gained the ability to download the app. This wasn't a negative. It wasn't a punishment, per se, because what we set them up with is a perfectly viable solution. It is still secure. It's still better than a lot of other methods, but they worked in an environment where you would often have to go from one place to another. It meant that they had to have this on their keychain. They had the

option of working flex, which meant they also had to take it home with them. And it was just a hassle. And that's all it took. Just the little bit of annoyance of having a keychain to go, you know what? I've already got my phone with me. It's fine. Just we'll just use the app instead. Again, not a punishment, but a little bit of negative reinforcement because every now and then it is important. The final example of what I kind of used and this is a little bit more on the softsklls side but viewing any communication for something like multiffactor education as a sales pitch in a way. So I don't know how many of you are familiar with the phrasing what

so what now what it's a way to keep communication simple without adding a lot of detail. You just have to say three things what it is why it matters and what do you want the other person to do. If you're doing a Q&A, great way to keep those straightforward and answer questions well, but I would maintain that thought process when talking with users about multiffactor authentication, which meant it improved their engagement. It improved their comprehension because I wasn't adding a bunch of technical details. I wasn't adding much stuff. I was thinking what it was, why it matters, and what I want them to do. Simplifying the whole thing improved their experience. So kind of summing up because I know

thanks to my wonderful ringside announcer here uh that my time is coming to an end. What is it we can do? So number one, we have to be practicing what we preach. We need to be sharing our experiences because otherwise no one knows that we practice what we preach. We need to use relatable examples, things that are actually engaging users on the level they are at without condescending to them. to that extent kiss keep it simple stupid avoid technical descriptions because in most cases there's not a need for it doesn't actually benefit the conversation and then the most important point approach with empathy and simplicity because again multiffactor authentication is an extra step at the

end of the day it isn't something wonderful that came out of nowhere it's a necessary but kind of miserable requirement because people will keep attacking and there will keep being vulnerabilities So, uh, that's it. I've got my references all linked, but much more helpfully, they are all available on my GitHub. There's also a link from my LinkedIn. Um, but, uh, that's it. Any questions? Awesome. I will leave the QR code up there a little bit, but thank you all so much for attending. Again, I'm Sam, and feel free to grab me afterwards if you have any questions or want to talk about it. >> [applause]