AppSec USA 2016 has ended
Back To Schedule
Friday, October 14 • 9:30am - 10:30am
Why using SMS in the authentication chain is risky and what better options are available

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Passwords are horrible for security. Over the past 20 years we’ve bolstered the password with other factors, the most common being a one time password (OTP, TOTP, HOTP) that is either generated on a physical device the user holds, in a smartphone app or most commonly sent via SMS. Using SMS for authentication is not secure. We’ve known this for years, but recently we’ve been reminded of this with problems with Google and Apple SMS security. 

SMS is important to ensure we have a backup way of allowing people to login to systems, but it should always be a last resort. So what’s the first resort? Second factors to the password need a different communications channel to the one a user is authenticating to. SMS is not secure, but push notification methods are. It is possible to initiate a communication channel via Apple, Google and Microsoft mobile notification networks. At the end of these push notifications is a secured app that in turn securely communicates with the 2FA back end. Not only is this method more secure, it’s actually a far improved user experience that can be extended beyond the login to secure in application transactions.

This presentation will go over the limitations of traditional two-factor methods and introduce the improved approach using a push notification channel to achieve the same goal, i.e. authenticate a user identity by validating the initiating request comes from a person who has something in their possession which is trusted.

avatar for Simon Thorpe

Simon Thorpe

Director of Product, Twilio - Authy
Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information... Read More →

Friday October 14, 2016 9:30am - 10:30am EDT
Grand North Renaissance Washington, DC Downtown Hotel 999 9th St NW, Washington, DC 20001