Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No More Post-its: Boost your login security wit...

Avatar for Alvaro Navarro Alvaro Navarro
March 25, 2025
Programming
0
28

No More Post-its: Boost your login security with APIs

Avatar for Alvaro Navarro

Alvaro Navarro

March 25, 2025
Tweet

More Decks by Alvaro Navarro

See All by Alvaro Navarro
Baking a great DX
Avatar for Alvaro Navarro alnacle
0
140
Designing APIs Like You'd Design Your House
Avatar for Alvaro Navarro alnacle
0
140
Build your first Spotify App
Avatar for Alvaro Navarro alnacle
0
26
How to use your API Gateway as Developer Relations Tool
Avatar for Alvaro Navarro alnacle
0
50
Building awesome SDKs for your APIs: Best Practices
Avatar for Alvaro Navarro alnacle
0
92
DevRel as Professional Career
Avatar for Alvaro Navarro alnacle
0
190
Effective API Governance: Lessons Learnt
Avatar for Alvaro Navarro alnacle
0
3.2k
Building a partnership that scales through APIs
Avatar for Alvaro Navarro alnacle
0
110
The Journey of an OpenAPI platform
Avatar for Alvaro Navarro alnacle
0
150

Other Decks in Programming

See All in Programming
Vibe Codingの幻想を超えて-生成AIを現場で使えるようにするまでの泥臭い話.ai
Avatar for Kuu fumiyakume
18
9.5k
Quality Gates in the Age of Agentic Coding
Avatar for Hélio Medeiros helmedeiros
PRO
1
110
What's new in Adaptive Android development
Avatar for Sungyong An fornewid
0
120
変化を楽しむエンジニアリング ~ いままでとこれから ~
Avatar for murajun1978 murajun1978
0
530
知って得する@cloudflare_vite-pluginのあれこれ
Avatar for chimame chimame
1
120
レトロゲームから学ぶ通信技術の歴史
Avatar for kimkim0106 kimkim0106
0
140
テストから始めるAgentic Coding 〜Claude Codeと共に行うTDD〜 / Agentic Coding starts with testing
Avatar for r-kagaya rkaga
17
6.2k
MCPで実現できる、Webサービス利用体験について
Avatar for syumai syumai
7
2.2k
「次に何を学べばいいか分からない」あなたへ──若手エンジニアのための学習地図
Avatar for panda_program panda_program
3
670
AIのメモリー
Avatar for watany watany
11
1.1k
効率的な開発手段として VRTを活用する
Avatar for Yosuke Ishikawa ishkawa
1
180
PHPUnitの限界をPlaywrightで補完するテストアプローチ
Avatar for yuzneri yuzneri
0
350

Featured

See All Featured
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
Making Projects Easy
Avatar for Brett Harned brettharned
117
6.3k
Easily Structure & Communicate Ideas using Wireframe
Avatar for Afnizar Nur Ghifari afnizarnur
194
16k
Music & Morning Musume
Avatar for Bryan Veloso bryan
46
6.7k
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
10
1k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
3.9k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Adopting Sorbet at Scale
Avatar for Ufuk Kayserilioglu ufuk
77
9.5k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
613
210k

Transcript

  1. No More Post-its: Boost your login security with APIs PRESENTED

    BY: Alvaro Navarro Senior Developer Advocate, Vonage

  2. 91 % 2

  3. 91 % Cyberattacks started with a phishing email 3 according

    to a security report by Deloitte, AAG and ASEE)

  4. 4 2020

  5. None

  6. Services collects our personal data, which could be leaked!

  7. More sophisticated attacks to steal our data Leaked data +

  8. Fraud is everywhere 8

  9. is there anything we can do to feel safer? 9

  10. None

  11. How to improve the security of your users using APIs

    11

  12. 3 factors of authentication 12

  13. Something you know Something you have Something you are

  14. Something you know

  15. Let’s talk about passwords 15

  16. If you know the secret, you must be the right

    person

  17. If you know the secret, you must be the right

    person

  18. What’s wrong with Passwords? • Easy to forget. Force users

    to follow complex patterns difficult to remember
  19. None
  20. None

  21. What’s wrong with Passwords? • Easy to forget. Force users

    to follow complex patterns difficult to remember • (Sometimes) Easy to guess
  22. None

  23. What’s wrong with Passwords? • Easy to forget. Force users

    to follow complex patterns difficult to remember • (Sometimes) Easy to guess • (Sometimes) Easy to crack
  24. None

  25. 25 What is your password? It’s my cat name and

    a random number

  26. 26 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet

  27. 27 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet Ohh… what’s her name? Her name is Jolie

  28. 28 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet Ohh… what’s her name? Her name is Jolie So your password would be Jolie and then number… Like number one… Uh… like.. My birthday

  29. 29 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet Ohh… what’s her name? Her name is Jolie So your password would be Jolie and then number… Like number one… Uh… like.. My birthday Oh, and when is your birthday? June 12th

  30. 30

  31. 31

  32. 32

  33. 33

  34. 34 mypassword 91dfd9ddb4198affc5c194cd8ce6d338fde470e2 https://api.pwnedpasswords.com/range/91dfd

  35. 35

  36. Something you have

  37. OTP (one-time-passwords) 37

  38. But not Jolie6695 38

  39. 39 two-factor authentication (2FA)

  40. 40 Message App Push Notification Hardware

  41. 41 Message App Push Notification Hardware Still the most used

    2FA method!

  42. 42 Something you have Verify API Prevent fraud with two-factor

    authentication

  43. 43

  44. 44

  45. 45 But… What if…

  46. 46

  47. 47 SIM Swap attack • Hijacking your phone number by

    linking it with a different SIM card • Sending a message is not safe anymore!

  48. 48 https://camaraproject.org/ APIs enabling seamless access to Telco network capabilities

  49. 49 Something you have SIM Swap API • Determine if

    the SIM Card linked to a phone number has recently changed • Make sure that the user’s mobile number can be used for authentication purposes.

  50. 50

  51. 51

  52. 52 Something you have SIM Swap API Determine if the

    SIM Card linked to a phone number has recently changed

  53. 53

  54. 54

  55. 55 2FA enabled SIM swap not detected ✅ ✅

  56. 56 But… What if…

  57. 57 • We want to keep users logged in but

    we don’t want to go through all these steps again • Use mobile data to verify users!

  58. 58 Something you have Number Verification API Verify end-users using

    mobile data over 5G

  59. 59 Something you have

  60. 60 Something you have

  61. 61 Mobile Operator Auth URL

  62. 62 Mobile Operator Auth URL Backend Callback

  63. 63 Mobile Operator Auth URL Backend Callback Number Verification API

    call

  64. 64 Mobile Operator Auth URL Backend Callback True / False

    Number Verification API call

  65. Something you are

  66. Integrate image and video analysis capabilities into their applications via

    API 66 Something you are
  67. None

  68. Something you know Something you have Something you are

  69. Something you know Something you have Something you are Somewhere

    you are
  70. None

  71. Verify whether the location of an end-user is within a

    specified area 71 Somewhere you are Device Location Verification API
  72. None
  73. None
  74. None
  75. None

  76. 76 To recap

  77. Verify API SIM Swap API Number Verification API Amazon Rekognition

    API Device Location API Something you have Something you are Somewhere you are Something you know I have been pwned API

  78. Thank You! developer.vonage.com developer.vonage.com/blog