Upgrade to Pro — share decks privately, control downloads, hide ads and more …

apidays London 2023 - Building Multi-Factor Aut...

apidays
PRO
September 21, 2023
Programming
0
6

apidays London 2023 - Building Multi-Factor Authentication into your applications, Nathaniel Okenwa, Twilio

apidays London 2023 - APIs for Smarter Platforms and Business Processes
September 13 & 14, 2023

Building Multi-Factor Authentication into your applications
Nathaniel Okenwa, Staff Developer Evangelist at Twilio

------

Check out our conferences at https://www.apidays.global/

Do you want to sponsor or talk at one of our conferences?
https://apidays.typeform.com/to/ILJeAaV8

Learn more on APIscene, the global media made by the community for the community:
https://www.apiscene.io

Explore the API ecosystem with the API Landscape:
https://apilandscape.apiscene.io/

apidays
PRO

September 21, 2023
Tweet

More Decks by apidays

See All by apidays
Apidays Helsinki 2024 - From Chaos to Calm- Navigating Emerging API Security Challenges by Eli Arkush, Akamai
apidays
PRO
0
26
Apidays Helsinki 2024 - APIs ahoy, the case of Customer Booking APIs in Finnlines and Grimaldi Lines by Vesa Vähämaa, Finnlines
apidays
PRO
0
24
Apidays Helsinki 2024 - ABLOY goes API economy – Transformation story by Hanna Sillanpaa, Abloy
apidays
PRO
0
17
Apidays Helsinki 2024 - API Compliance by Design by Marjukka Niinioja, Osaango
apidays
PRO
0
27
Apidays Helsinki 2024 - Bridging the Gap Between Backend and Frontend API Testing with K6 by Ayush Goyal, Grafana Labs
apidays
PRO
0
16
Apidays Helsinki 2024 - Data Ecosystems Driving the Green Transition by Olli Kilpeläinen, Betolar
apidays
PRO
0
13
Apidays Helsinki 2024 - Security Vulnerabilities in your APIs by Lukáš Ďurovský, Thermo Fisher Scientific
apidays
PRO
0
28
Apidays Helsinki 2024 - Data, API’s and Banks, with AI on top by Sergio Giraldo, ING
apidays
PRO
0
25
Apidays Helsinki 2024 - Sustainable IT and API Performance - How to Bring Them Together by Merja Kajava, Aavista Oy
apidays
PRO
0
13

Other Decks in Programming

See All in Programming
僕が思い描くTypeScriptの未来を勝手に先取りする
yukukotani
9
2.4k
Desafios e Lições Aprendidas na Migração de Monólitos para Microsserviços em Java
jessilyneh
2
150
Developer Joy == Developer Productivity (really!)
hollycummins
1
220
The Sequel to a Dream of Ruby Parser's Grammar
ydah
1
220
Android開発以外のAndroid開発経験の活かしどころ
konifar
2
1k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
0
130
LangChainの現在とv0.3にむけて
os1ma
4
940
いまから追い上げる、Jetpack Compose トレーニング
nyafunta9858
0
610
Jakarta EE meets AI
ivargrimstad
0
390
LangChainでWebサイトの内容取得やGitHubソースコード取得
shukob
0
160
GraphQLとGigaViewer for Apps
numeroanddev
2
120
Rubyのobject_id
qnighy
6
1.3k

Featured

See All Featured
Code Review Best Practice
trishagee
62
16k
Large-scale JavaScript Application Architecture
addyosmani
508
110k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
326
21k
It's Worth the Effort
3n
182
27k
jQuery: Nuts, Bolts and Bling
dougneiner
61
7.4k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
502
140k
Fantastic passwords and where to find them - at NoRuKo
philnash
48
2.8k
Bash Introduction
62gerente
608
210k
Fireside Chat
paigeccino
31
2.9k
How to Ace a Technical Interview
jacobian
274
23k
Raft: Consensus for Rubyists
vanstee
136
6.5k
Code Reviewing Like a Champion
maltzj
517
39k

Transcript

  1. Building Multi-Factor Authentication into your applications Nathaniel Okenwa, Developer Evangelist

  2. 422 Unprocessable Entity: Suspicious Phone Number! Nathaniel Okenwa, Developer Evangelist

  3. Nathaniel Okenwa Developer Evangelist @ Twilio @ChatterboxCoder Loves: Coding 󰞵/

    MMA 🥊 / Anime 🀄 / Superheroes󰭅󰭄 / Action Movies 🎬

  4. Blade Runner 1982 A blade runner must pursue and terminate

    four replicants who stole a ship in space and have returned to Earth to find their creator.

  5. Blade Runner

  6. 422 Unprocessable Entity: Suspicious Phone Number! Spotting Suspicious Entities on

    2FA

  7. Untrustworthy Users Fake/Spam Users Hackers or Bot

  8. Voight-Kampff test

  9. Identifying Real Users

  10. None

  11. User Verification Along Your Customer Journey Verify users at sign

    up Protect logins Authorize Transactions

  12. Sending Your Own OTP Can Be Difficult Additional dev requirements

    Security Gaps Costly in some countries Regulations

  13. SMS Pumping This happens when fraudsters request OTPs over and

    over, in order to generate SMS traffic for which they are incentivised by small local carriers.

  14. SMS Pumping Fraudster Mobile Network Operator

  15. SMS Pumping Fraudster Mobile Network Operator Revenue Share

  16. SMS Pumping Fraudster Many Verifications Mobile Network Operator Revenue Share

  17. Can Cost $$$$$$$$$$...

  18. Fraud Indicators Conversion behaviour Monitor OTP Conversion Rates Detect Non-Human

    Behaviour Traffic Spikes Spike in Account Activity Country-Specific Spikes Number Prefix (Bulk) Unexpected Destinations Carrier Ranking Maintain Telco Fraud Rank

  19. Alternative Channels WhatsApp Email Already have Phone Number Works over

    WiFi SMS Pumping doesn’t work Strong User Adoption

  20. Demo

  21. OTP/TOTP • Works offline • Private & Secure • Bring

    your own App

  22. Silent Network Auth • Relies on secure carrier network technology

    • Not vulnerable to common OTP Phishing/Hijacking • Silent & fast! No end-user friction ✅ 15% increase in conversion ✅ ZERO reported Account Takeover incidents ✅ Keep user’s attention on your app ✅ Save 30 seconds or more during registration and logins

  23. Why don’t we just use Authenticator Apps?

  24. None
  25. None
  26. None

  27. Usability is Imperative When security introduces too much friction. Users

    are more likely to skip or ‘turn off’ these security features.
  28. None

  29. Balancing Act

  30. Bank Security Model (Not Trademarked)

  31. None

  32. Bank Tellers ▢ High Frequency Low Risk Activities ▢ Get

    users verified quickly

  33. Vault ▢ Higher Risk Activities ▢ Prioritise most secure form

    of Authentication

  34. ▢ Highest Risk ▢ Requires User Education Safety Deposit Boxes

  35. Github

  36. None

  37. One solution for all channels “Silent authentication” / biometric authentication

    Verify Verification request Has the request come from browser or mobile? Verification request from Mobile App (Best Case) Verification request from browser, user received a push notification on app with verification code Verification request from browser, if push notifications aren’t enabled, TOTP is used Verification request from browser, but user doesn’t have app installed. User receives the code via SMS, WhatsApp, Email or Phone Call

  38. Demo

  39. A complete verification solution SMS Email Voice WhatsApp Silent Network

    Auth Push Authentication TOTP Future Channels WebAuthn (FIDO2) Device Authentication User Registrations & Logins Logins & Transaction Authorization Pre-approved templates Automatic SMS fraud detection Rate limiting Phone numbers, short codes, Alpha ID Route optimization, redundancy, failover Localization & translation Monitoring & reports Global customer support Security & Business Logic

  40. Where to find out More…

  41. THANK YOU FOR LISTENING!! Do you have any questions? [email protected]

    @ChatterboxCoder CREDITS: This presentation template was created by Slidesgo, including icons by Flaticon and infographics & images by Freepik