BSidesSF 2023 - Designing consumer account recovery in a 2FA world (Kelley Robinson)

hello everyone thank you for being here at b-sides FSF today um just to let you know the slido is not working today but we will have Live question and answers at the end and then we can also if there's any follow-up questions we can take care of that in the lobby thank you thank you thank you for having me last time I spoke at b-sides was in February of 2020 anybody remember that conference there was like a sponsor here that was giving out little like keychains of hand sanitizer and when we were like packing up at the end there were like hundreds left over and a month later I was like why didn't I take more of those but you

know we we didn't know right we didn't know and I think that's one of the things we've seen in the last couple of years like a lot of things have changed but one of the things that we've seen change is there's a lot more people doing business online now and that means of course if there's more money that we as like security people working in web application security mobile security uh there there's more considerations that we have to deal with because there's more fraud and there's more money that's getting lost to account takeover but we're also finally starting to see some of these stronger authentication methods things like web often things like passkeys even that are

finally being used for a consumer audience but we're also all human right like we need to consider account recovery in this process when we're doing the authentication uh system design that we're building because we need to balance that that humanness that user experience with presenting fraud and I specifically called out consumer account recovery in this talk because one that's what I focus on in my day-to-day work but I think there's a little bit of a different way that we have to think about that um when we're dealing with end user consumers that are not our employees that we're not paying to consider this problem uh when we're thinking about Enterprise account recovery you might have like an IT Help Desk that you can

call up and and deal the answer that way you know we're thinking about this in a way that uh can there's a lot of overlap between account recovery among the spaces but you don't have that kind of like Enterprise fallback so I'm going to be focusing on the consumer side of this today so again thank you for having me here my name is Kelly Robinson I've been a developer for over a decade now and I've been working in security at twilio for the last six years I've been helping out with b-sides SF for a few years too so again thank you to the team for everybody that's volunteered and for having me back I focus on twilio's

account security products for things like phone verification user identity and two-factor authentication this talk is going to incorporate a lot of the things I've learned during my time there uh from working with our developers and working with our customers on their authentication challenges and then it's also going to incorporate some of the things that we've learned we we own authy we bought authy eight years ago now some people still don't realize that authy is owned by twilio but we have this consumer facing product for MFA but that also has an account recovery process to it too right like so that's something we have to consider when we're building that product so uh in terms of what I'm going to talk

about today after I get some context on um what account recovery is and how I'm thinking about it walk through the options that we have including some real life examples some companies that I think are doing some stuff well that'll wrap up with some recommendations and how you can use this in your own systems so of course we like we hope that users don't lock themselves out of their accounts right like that's that's the hope but of course it's going to happen and there's a lot of common reasons that are not even like user error for this um things that we have to think about people change their phone numbers they forget their passwords they lose their

device or authenticator or their security key they upgrade to the latest iPhone and they forget that there was anything important on their old device they forget that they needed to transfer all of those Google Authenticator tokens and now that all of a sudden those are lost and so it's up to us to address these issues while still guarding against the attackers and the account takeover attempts if anyone is in the last session you know Pinterest was talking about how they handle account takeovers and some of the protections they use against passwords this is going to extend on that and talk about how you might think about that with more than just a password with some of these other

authentication methods that we that we use and that we seek consumer authentication being used for so again like account recovery is risky because you're not just authenticating you're re-proving the identity and it's not an identity that comes with a clean slate anymore it's not the sign up that you you know you might not have to do that email verification if your growth team tells you that they want to skip it the the existing account likely already has data or money attached to it and so that's one of the things that you have to consider when you're reproving this identity and the emphasis here is mine but I really like how Mark Loveless characterized account recovery here as

this alternative authentication system uh he says in essence it's a bypass of the main account security protocols and therefore should be treated as this alternative authentication system and there are all these risks associated with account recovery I think you know we I tried to like pull the latest numbers for like the cost of ATO fraud and like I don't know like all these companies these research companies have different figures that they'll give you but it's like always in the billions right uh that's all exaggerate but it's a lot of money and like your company probably hopefully has some kind of quantification of the cost of this to your business whether that's the support costs that you're dealing with in order

to address these account recovery attempts or the amount of money that's lost to fraud from the account takeover actually happening and so the best estimates that I could come up with from the research that I found is that this if you end up with that kind of Last Resort if the user has to contact support support calls can cost anywhere from forty to seventy dollars per call and so that's a lot of money that you have to be thinking about if your user ends up at that process and this is why it's often worth it to invest in your account recovery process to save your support teams the headaches and to save your company more money

so you have a lot of options for account recovery you know and that goes beyond just sending an email uh reset for your password and so this is where we started they see things like security questions which are not recommended things like backup codes fallback channels whatever that might be for your business and the requirements for account recovery I wanted to highlight a couple of things here because they might be slightly different from your everyday classic authentication and primarily that since it's not happening very often one it can be slower but two you need methods that can be accessed without uh constant rehearsal as I saw like one researcher put it so we think about

something like a password or even a security key if you're using that daily like you're less likely to lose that security key because you need it every day to log into your computer or you are constantly typing in your password I know a lot of people in this room probably use a password manager but a lot of consumers and users of the end user applications that we build probably aren't so they're typing and they're remembering these passwords and that constant rehearsal helps them seven eight nine months later when they you know lose that password lose the key forget something they're not going to have that same level of rehearsal for whatever backup method and so this is

why security questions became a thing because you're not like gonna forget your you know first pet or the color of your first car but this also needs to be usable since this is again I'm not suggesting that you use security questions I'm just like saying that's why they became popular right um but this is something that also needs to be usable right um because this is something that most people will do some Google research from a little bit ago reported a nearly linear relation between time past and the number of users who use the fallback authentication system after 18 months 70 of Google's users had done some kind of basic account recovery I'm sure your

business has seen similar things where this is something that you definitely have to deal with you're going to want to build this into your considerations now one thing I wanted to look at was how the different methods how effective the different methods can be right and how effective they are for account recovery so the more of these that you collect when the user first signs up the more that you'll have to trust and verify against when they attempt an account recovery and this is one of those things where you're like probably gonna if anybody does like the account security at your company you've probably had those conversations with your growth team right they're like no we need to

make this frictionless so that we can get users signed up as fast as possible so that I can hit my metrics of like the number of users that signed up and you're pushing back on that saying no we need to have some level of assurance about who these users are and this is going to be that back and forth pull that like I see some people nodding about this right so this is something that you want to think about have those conversations when you collect these up front you're going to have an easier time down the line even if you're not having those that user use one of those methods that they enroll with every time

that they sign in this is why we do email verification right you're not necessarily having the user uh send an email to themselves every time they log in but this is something that comes in handy down the line all right let's start with some things that you know these knowledge methods these could be password security questions or specific account information like recent transactions or hopefully other secret details account about the account I've had people ask me like how much a recent uh expense was on my account that I might have bought with an e-commerce site I've had companies ask when I last called customer support these are examples of knowledge things that you might encounter that aren't going to be

that kind of security question uh method that we all love so uh knowledge factors are great because they're easy to use and set up and they can't be lost uh the reason that again security questions became so popular is because you're not going to forget them but passwords can be breached uh many security questions or Account Details can be a search and it's also not impossible to just find or guess the street that someone grew up on or the color of their first car right and of course humans are forgetful so anything like a password can be lost in that way uh possession factors these are the things that you have uh these tend to be

more secure than passwords because they can be harder to fish and they don't get leaked in data breaches these could also include things like your phone backup or recovery codes and Hardware security keys or um security tokens or Yuba Keys when it comes to something that you have uh people tend to lose and replace things right like I talked about people upgrading to the new iPhone or losing their phone right and this means that it's harder to guarantee for account recovery possession can also introduce that additional friction right and this is one of the things that we always have to think about even getting someone to download an app can be a lot harder than

telling them to enter a security question or something like that and this is one of the things that I think we're starting to try to change with Solutions like pass Keys they're trying to solve that usability problem by integrating the authentication into the devices that we already have and the systems that we already use and the third category that I wanted to talk about is not inherence like if you're following the kind of classic three factors of authentication um but it's actually the social proof uh side of things and this relies on authorizing trusted contacts and doesn't really fall into that kind of classic authentication Factor categorization and so companies like Facebook obviously a very social company from the get-go they

allow you to nominate three to five friends that can help confirm your identity before they give your account back to you and the nice thing about Facebook is they let you do this after you get locked out of your account so this is not necessarily something that you have to set up before one of the things that they ran into is then hackers were trying to then friend people on the account or like take over an account by like adding new uh untrusted friends and then doing the account takeover and so Facebook has fixed that problem by making sure that the frenzy you're nominating to get your account recovered are people that you've had a longer term relationship with and

and that they identify as more trusting contacts and so this is one of the things right they're they're allowing you to do this after the fact and so you're going to be motivated to do this uh the setup if you are a social company that needs to get users to set this up beforehand that might be the challenge here right the the kind of usability aspect of getting people to enroll in this recovery Factor but I think this is really smart if your company has any kind of social or dynamic connections between users this is definitely something that you can use even in a more like Enterprise setting right this is a really you know smart way that if

you have multiple business users that are tied to the same account you can have them vouch for each other in terms of getting the account access back without having to contact like an account rep or someone like that a couple of like specific channels that I wanted to highlight um one type of possession factor that we see a lot for account recovery is these backup tokens or recovery codes and these codes are given to you so they're more likely to be longer and less likely to be reused right however that means that people have to store these somewhere and while sites some sites will give you explicit options I've seen things from like uh write them down save

them in your password manager email them to yourself like these are all recommendations that I've seen in the real world this is a screenshot from Instagram that is a real example with fake codes that does not give any useful guidance of what to do with these right so I've always wondered like how effective are these actually like do people actually save them I met one person that likes literally prints them out and like puts them in their home safe and that's great for them I'm not gonna do that probably and most users probably aren't either so like how many users are actually doing this so I was pleasantly surprised when I was talking to one of our customers and they're

doing many thousands of authentications every week and they're actually seeing hundreds of users using their backup codes every week and so one percent of their users um are doing this on a weekly basis and that might not seem like a lot like one percent doesn't seem like a big number but that does factor out to hundreds of users and if that's allowing those users to get back into their accounts without going through customer support that's good for both you and your business and so this is one of the things that like I was pleasantly surprised to see that backup codes which can be relatively easy to implement is a reasonable solution for the account recovery problem

and the last specific method that I wanted to call out is pass keys right like is anybody actually using pass keys yet I see like a couple people like enthusiastically raising their hands um I've encountered this like on a couple of companies I know like cloudflare has implemented this good for them I'm proud of everybody that's like trying to push this forward so Caskey's new Evolution of web authen and I know there's critiques on past Keys like I've heard people say like is it actually 2fa um but I think one of the things that peskies are trying to explicitly attempt to solve is this account recovery problem and that's because you're syncing the private keys in the cloud

and like that's a little scary maybe but what this allows is that that strong form of authentication can be used by default across devices without having the user needing to authenticate or set up every new device right so like I am able to sign in on this laptop with a touch ID because this that's stored on this individual laptop like if I want to you know use that same method on a different device I have to register on a different device but paskey's attempts to solve that problem and apple calls this out in their docks they say Pass Key synchronization provides convenience and redundancy in case of a loss of a single device so this is great right but

then you read a little bit more into this and Apple's not the only one that's implemented this this is like an industry-wide Collective but there are alternative account recovery if you lose all of your devices means that you use your iCloud account password and SMS authentication so you know we're they're still thinking about the backup to the backup to the backup right and that's one of the things that we all have to think about too as well so let's send a look at a couple of companies that I think are doing as well um some companies are intentionally vague about this but I've highlighted a couple that like have pretty good documentation about their process and

what they do for account recovery the first one I already called out is cloudflare um I always look to them to see like what they're doing on the Forefront of authentication because I think you know they serve a technical audience and so you can probably get away with a little bit more of like a tech forward approach and a little bit more of like the bleeding and Edge approach to some authentication Solutions um and so you know they were one of the first companies that I saw to implement web often they're now using pass keys for that and they offer a lot of options for account recovery but if you run out of options this is kind of like the last

resort so in addition to email verification they require an active session on your account and if you don't have an active session somewhere a browser that's been previously logged in um then you're kind of screwed it's pretty common to you know require this active session but it's not always explicitly called out you can think of this kind of like a possession Factor right it's a previously verified device or a browser and to be safe then they also Implement a three to five day waiting period and I'll talk a little bit more about waiting periods in a minute but it makes sense right like an attacker might not want to wait but a real user probably would and that's one

of those ways that you can start to balance that ATO prevention GitHub is another company that I think you know is doing pretty great when it comes to account recovery and and user authentication in general also you know calling us out as it probably serves a more technical audience right like um they have different considerations and someone like Pinterest might uh and GitHub has extensive documentation about their 2fa recovery process they also offer a lot of options for what you can do in terms of setting up authentication factors or fallback factors one option is recovery tokens that they require you to set up when you register certain types of devices for authentication and they will also allow you to fall back to

SMS if you have a stronger form of 2fa enabled like tootp or Yuba Keys I've had this debate with people of like is it worth it to allow you know these stronger forms of authentication like totp yubikes if you're going to allow fallback to SMS and like that depends on how you approach it right like this is something that's still probably going to be stronger than maybe a customer support probably cheaper than having the user call customer support and it might be enough of a hassle to deter some amount of hackers they do also GitHub does an interesting thing where you can configure your Facebook account to store a recovery token to get back into GitHub

that has the downside of requiring that you have a Facebook account but the upside is that you're likely to be able to access Facebook even if you lose access to GitHub those might be like two different things that you have two different sets of credentials for and then anecdotally I have a friend that went through the account recovery process with GitHub um and in line with a warning that showed here uh get hold GitHub told them that they needed to unlink their email address so they could use it again to create a new account they could Fork all of their repos over to the new account and then if in six months their old account that was locked out is still

dormant they could re-access that account their username would be released to them and so that's pretty extreme and unforgiving like six months I mean at least it allows them to get access to it eventually I don't know if this is still true or true for all accounts um maybe my friend's account was like especially High risk but that's definitely something that you want to think about make sure you have those recovery Keys saved for your GitHub account and something that you can consider in terms of the extremity extrema disease of waiting periods that you might consider all right and then diving into some of the recommendations so these are just some examples of what different

companies are currently doing um now what you can do for your own company and I think it's important to preface all this by saying that there's no one right answer here so this is taken from the Owasso multi-factor authentication cheat sheet they say there is no definitive best way to do this and what is appropriate will vary hugely based on the security of the application and the level of control that you have over your users this again gets back to that kind of Enterprise versus consumer authentication approach that you might take think about what makes sense for your company for your users you definitely don't need to do everything I recommend here this is kind

of like a menu of options that you might think about as you're designing these processes or revamping them all right the biggest thing you can do have users register more factors more methods than they need than for everyday login somebody kind of eloquently put this like 3fa for 2fa you know it's not really three factors but you know you want to at least have two methods that someone can use to get back into their account if they have MFA enabled and the biggest benefit of that is that you have the additional trusted factors and that you can use those to compare against when your user loses access to one of their main factors and the more that you

have registered the more confident that you can be that it's the right person that you're letting in and not an account take over register these at sign up during an active session that's really up to you but requiring users to register these additional factors you know it might create some additional overhead in that process especially during sign up but it's justifiable for certain use cases you know like fintech some of these like higher Assurance Industries where kyc has more regulations and controls around it that's something that you're probably going to be okay with if somebody's opening a new bank account like they might expect that that might a couple of minutes to do uh similarly do some threat modeling

right like look at your ATO costs it's going to be different for everyone maybe this is something that isn't actually costing you that much money if someone contacts support and that's fine like you might not need to do extensive revamping of your process here if it's not costing you a lot of money but understand how much you're losing uh you want to make sure that you're making the right level of investment for your company um in the account recovery process you're in that higher value industry like Financial Services second mean adding more friction to that recovery process um but consider it from your customers perspective too right like did they understand the value if you uh if you're

like gemini or coinbase and the user is trying to go through this process they're probably willing to put in a little bit of extra effort to regain access to their account they're going to be okay with that waiting period um you know that's probably going to be more true than like if they're signing up for Paramount Plus account uh along the lines of looking at your threat model you also want to be intentional about where and how you're allowing your staff to facilitate account recovery so this was a conversation that I had on Twitter DMS before Twitter imploded where I was able to get a customer support representative to reset my account just by giving them my phone

number an email and my Twitter account is my full name but it's not connected to my profile of this company and I'm not saying that this company shouldn't let their customer support do this because it was like a really easy experience and that was nice but like it's sensitive enough that I don't want to tell you who it was and so I'm more paranoid about this than the average person because I'd like think about this for my everyday work but is this something that you want to think about it's all about evaluating those trade-offs another thing you can do is prompt users to confirm account information that could be used for Recovery when they log

in this is something that's useful if you have consumers that are coming back to your application on a regular basis obviously this is not going to be true for everyone one of our customers you know does tax preparation software that's like a really hard thing to do with account recovery right because you have users that are using it about once a year and they probably forget their password in between years that can be something that can be challenging but one way that GitHub does the prompt for account recovery is shown on this slide and so there's a the same idea behind things like security checkups email notifications to review your account that might be you know sending an email

notification to folks before tax season if you're that kind of tax preparation software that might be a strategy that you could use and these types of reminders are relatively cheap and easy to implement especially compared to the cost of a customer lockout or a support call be proactive about these types of reminders send the email reminders before the holidays before new iPhone releases we always see authy customer support tickets go up around these times because that's when people tend to switch phones and get locked out that's one way you can do is that those proactive email reminders um and then hopefully you're already doing this but design your 2fa onboarding really well this is from a

2018 study 83 of Google users were able to successfully set up Yuba Keys compared to 32 percent of Facebook users a lot has changed since 2018 in terms of like Yuba keys and how they're designed and the way that they work but I think it's a good look at how onboarding ux impacts users success right you want to make sure that they're doing an actual verification before you enable that on their account 19 of people locked themselves out of Windows entirely because they didn't require the users set it up correctly before they enabled it as a like check mark on the account and finally uh we recommend adding a waiting period to deter hackers and give

real users time to dispute account takeover attempts it's never going to be perfect but it will be effective for the right types of customers slow down the attacker respond to legitimate users um a couple of things that I want to say you shouldn't do don't only use one factor for account recovery if you have two Factor enabled that kind of defeats the purpose of account recovery and please please don't be this company this is like the situation that inspired this entire talk which was if you're going to disable two-factor authentication on account recovery like don't even bother offering 2fa right like in this situation I'd forgotten my password or gotten like messed up in my password

manager but I still had access to the second Factor so like don't disable it if you're that company and finally don't let this discourage you don't give up on 2fa Google research shows that even SMS codes sent to a recovery phone number help present 76 of targeted attacks that's really good coverage and can protect our a lot of people from account takeover I wrote a blog post about this if you want to read more that's on the twilio blog I hope I've given you some ideas for how to think about your account recovery processes do you have any questions we're out of time but I'll be out in the hallway you can find me after the talk once again my name is

Kelly Robinson and thank you for listening