Upgrade to Pro — share decks privately, control downloads, hide ads and more …

No More Post-its: Boost your login security wit...

Avatar for Alvaro Navarro Alvaro Navarro
March 25, 2025
Programming
0
23

No More Post-its: Boost your login security with APIs

Avatar for Alvaro Navarro

Alvaro Navarro

March 25, 2025
Tweet

More Decks by Alvaro Navarro

See All by Alvaro Navarro
Baking a great DX
Avatar for Alvaro Navarro alnacle
0
140
Designing APIs Like You'd Design Your House
Avatar for Alvaro Navarro alnacle
0
130
Build your first Spotify App
Avatar for Alvaro Navarro alnacle
0
24
How to use your API Gateway as Developer Relations Tool
Avatar for Alvaro Navarro alnacle
0
49
Building awesome SDKs for your APIs: Best Practices
Avatar for Alvaro Navarro alnacle
0
92
DevRel as Professional Career
Avatar for Alvaro Navarro alnacle
0
190
Effective API Governance: Lessons Learnt
Avatar for Alvaro Navarro alnacle
0
3.1k
Building a partnership that scales through APIs
Avatar for Alvaro Navarro alnacle
0
110
The Journey of an OpenAPI platform
Avatar for Alvaro Navarro alnacle
0
150

Other Decks in Programming

See All in Programming
Team topologies and the microservice architecture: a synergistic relationship
Avatar for Chris Richardson cer
PRO
0
1k
GraphRAGの仕組みまるわかり
Avatar for とすり tosuri13
7
480
Code as Context 〜 1にコードで 2にリンタ 34がなくて 5にルール? 〜
Avatar for Yoda Keisuke yodakeisuke
0
100
関数型まつり2025登壇資料「関数プログラミングと再帰」
Avatar for Taison Tsukada taisontsukada
2
850
KotlinConf 2025 現地で感じたServer-Side Kotlin
Avatar for Takehata Naoto n_takehata
1
230
XSLTで作るBrainfuck処理系
Avatar for MakKi makki_d
0
210
Go1.25からのGOMAXPROCS
Avatar for kuro kuro_kurorrr
1
800
FormFlow - Build Stunning Multistep Forms
Avatar for Yonel Ceruto González yceruto
1
190
エンジニア向け採用ピッチ資料
Avatar for 犬飼嵩 inusan
0
160
deno-redisの紹介とJSRパッケージの運用について (toranoana.deno #21)
Avatar for uki00a uki00a
0
150
Railsアプリケーションと パフォーマンスチューニング ー 秒間5万リクエストの モバイルオーダーシステムを支える事例 ー Rubyセミナー 大阪
Avatar for Hayato OKUMOTO falcon8823
4
940
Julia という言語について (FP in Julia « SIDE: F ») for 関数型まつり2025
Avatar for GOTOH Shunsuke antimon2
3
980

Featured

See All Featured
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
130
19k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.8k
VelocityConf: Rendering Performance Case Studies
Avatar for Addy Osmani addyosmani
330
24k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k
Why Our Code Smells
Avatar for Brandon Keepers bkeepers
PRO
337
57k
Put a Button on it: Removing Barriers to Going Fast.
Avatar for kastner kastner
60
3.9k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.8k
How GitHub (no longer) Works
Avatar for Zach Holman holman
314
140k
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.3k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
36
2.8k

Transcript

  1. No More Post-its: Boost your login security with APIs PRESENTED

    BY: Alvaro Navarro Senior Developer Advocate, Vonage

  2. 91 % 2

  3. 91 % Cyberattacks started with a phishing email 3 according

    to a security report by Deloitte, AAG and ASEE)

  4. 4 2020

  5. None

  6. Services collects our personal data, which could be leaked!

  7. More sophisticated attacks to steal our data Leaked data +

  8. Fraud is everywhere 8

  9. is there anything we can do to feel safer? 9

  10. None

  11. How to improve the security of your users using APIs

    11

  12. 3 factors of authentication 12

  13. Something you know Something you have Something you are

  14. Something you know

  15. Let’s talk about passwords 15

  16. If you know the secret, you must be the right

    person

  17. If you know the secret, you must be the right

    person

  18. What’s wrong with Passwords? • Easy to forget. Force users

    to follow complex patterns difficult to remember
  19. None
  20. None

  21. What’s wrong with Passwords? • Easy to forget. Force users

    to follow complex patterns difficult to remember • (Sometimes) Easy to guess
  22. None

  23. What’s wrong with Passwords? • Easy to forget. Force users

    to follow complex patterns difficult to remember • (Sometimes) Easy to guess • (Sometimes) Easy to crack
  24. None

  25. 25 What is your password? It’s my cat name and

    a random number

  26. 26 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet

  27. 27 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet Ohh… what’s her name? Her name is Jolie

  28. 28 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet Ohh… what’s her name? Her name is Jolie So your password would be Jolie and then number… Like number one… Uh… like.. My birthday

  29. 29 What is your password? It’s my cat name and

    a random number You’ve got this cat for a while? Yeah, she’s my childhood pet Ohh… what’s her name? Her name is Jolie So your password would be Jolie and then number… Like number one… Uh… like.. My birthday Oh, and when is your birthday? June 12th

  30. 30

  31. 31

  32. 32

  33. 33

  34. 34 mypassword 91dfd9ddb4198affc5c194cd8ce6d338fde470e2 https://api.pwnedpasswords.com/range/91dfd

  35. 35

  36. Something you have

  37. OTP (one-time-passwords) 37

  38. But not Jolie6695 38

  39. 39 two-factor authentication (2FA)

  40. 40 Message App Push Notification Hardware

  41. 41 Message App Push Notification Hardware Still the most used

    2FA method!

  42. 42 Something you have Verify API Prevent fraud with two-factor

    authentication

  43. 43

  44. 44

  45. 45 But… What if…

  46. 46

  47. 47 SIM Swap attack • Hijacking your phone number by

    linking it with a different SIM card • Sending a message is not safe anymore!

  48. 48 https://camaraproject.org/ APIs enabling seamless access to Telco network capabilities

  49. 49 Something you have SIM Swap API • Determine if

    the SIM Card linked to a phone number has recently changed • Make sure that the user’s mobile number can be used for authentication purposes.

  50. 50

  51. 51

  52. 52 Something you have SIM Swap API Determine if the

    SIM Card linked to a phone number has recently changed

  53. 53

  54. 54

  55. 55 2FA enabled SIM swap not detected ✅ ✅

  56. 56 But… What if…

  57. 57 • We want to keep users logged in but

    we don’t want to go through all these steps again • Use mobile data to verify users!

  58. 58 Something you have Number Verification API Verify end-users using

    mobile data over 5G

  59. 59 Something you have

  60. 60 Something you have

  61. 61 Mobile Operator Auth URL

  62. 62 Mobile Operator Auth URL Backend Callback

  63. 63 Mobile Operator Auth URL Backend Callback Number Verification API

    call

  64. 64 Mobile Operator Auth URL Backend Callback True / False

    Number Verification API call

  65. Something you are

  66. Integrate image and video analysis capabilities into their applications via

    API 66 Something you are
  67. None

  68. Something you know Something you have Something you are

  69. Something you know Something you have Something you are Somewhere

    you are
  70. None

  71. Verify whether the location of an end-user is within a

    specified area 71 Somewhere you are Device Location Verification API
  72. None
  73. None
  74. None
  75. None

  76. 76 To recap

  77. Verify API SIM Swap API Number Verification API Amazon Rekognition

    API Device Location API Something you have Something you are Somewhere you are Something you know I have been pwned API

  78. Thank You! developer.vonage.com developer.vonage.com/blog