Presented at
BSidesSF 2019,
March 4, 2019, 2:10 p.m.
(30 minutes).
Two-factor authentication (2FA) represents a second line of defense against account takeover, and all online services accepting passwords should provide 2FA as an option to their users, especially if they deal with sensitive data or money. When implementing 2FA, however, we are faced with several choices that directly impact the user experience, including which methods to support, how and when to introduce them, and more generally how to describe 2FA to users, perhaps with limited technical knowledge.
This talk is structured as a tutorial on how to add 2FA to an existing website, with flows and code samples. It's based on first hand experience implementing 2FA at Pinterest and releasing it globally to millions of users. We cover designing an effective user journey, architecture, and implementation choices including TOTP, push notifications, and FIDO security keys. For completeness, we also cover additional authentication flows such as social login via OAuth or password reset.
Presenters:
-
Emanuele Cesena
- Pinterest
Emanuele Cesena is a Security Engineer at Pinterest focused on product security. Previously, he was co-founder and CTO at Theneeds (acquired by Shopkick) and a researcher in the security group at the Politecnico di Torino, Italy. Emanuele holds a PhD in Mathematics with a thesis in elliptic curve cryptography, and his specialties include secure cloud computing and privacy. In his spare time, Emanuele builds security tools and devices such as the deterministic password manager MemPa and the open source security key Solo.
Links:
Similar Presentations: