The All Things Auth Podcast

#010 - Making Open-Source Software Usable with Ashley Fowler of USABLE.tools

Conor Gilsenan — Thu, 10 Oct 2019 11:05:00 -0400

Social media & website

Resources mentioned in episode

Jon Camfield published an article titled "Where did USABLE come from?" that explains the motivation for starting the organization.
The free USABLE Guidebook contains resources and activities to help trainers and facilitators to collect relevant and useful feedback from high-risk users.
The USABLE blog has a ton of posts about their mission and interviews with their partner organizations.
Ashley explained how USABLE gets hands-on help from design and user experience partners (Simply Secure and OKTHANKS) and accessibility partners (Accessibility Lab).
Ashley shared the story of working with Thomas, the lead developer of Mailvelope, an app that allows you to send end-to-end encrypted emails. Also, check out the Mailvelope Blog.
USABLE created detailed personas to help developers understand how to make their products more usable for at-risk communities around the world.
USABLE has also recently supported the Secure Drop, Orbot, and KeePass XC projects. The USABLE blog has great interviews with these projects.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/010-ashley-fowler-of-usable-tools.

#009 - How to be an #MFAally with Tanya Janca of Microsoft

Conor Gilsenan — Fri, 27 Sep 2019 02:45:00 -0400

Social media & website

Twitter: @shehackspurple
Website: dev.to/shehackspurple

Resources mentioned in episode

Tanya talks about enabling MFA on Tangerine Bank, WealthSimple, and PayPal.
Tanya wrote a blog post titled "Multi-Factor Authentication (MFA)" that explains what MFA is for people who are not familiar with the term.
The site twofactorauth.org is a community maintained database of which sites support 2FA and which do not.
Conor built an open-source browser extension called 2FA Notifier, which alerts you anytime you visit a site that is known to support 2FA and helps you enable it.
During Microsoft Ignite 2018, Azure shared that adoption rate of MFA among admins was only 1.7%. “The rate increased from 0.7% in 2017 to 1.7% in 2018. Yes, it doubled, but it is still terrible.”
Tanya mentioned Jessy Irwin’s mantra “If you liked it, then you should have put some crypto on it” and multi-Raptor authentication.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/009-tanya-janca-of-microsoft.

#008 - Secured by Math, Designed for People with Pilar García of 1Password

Conor Gilsenan — Fri, 13 Sep 2019 12:15:00 -0400

Social media & website

Twitter: @1password
Website: 1password.com

Resources mentioned in episode

Conor and Pilar frequently reference 1Password’s White Paper, which explains the security architecture and overall security philosophy of the company.
Pilar mentioned the well known XKCD comic on password strength that popularized the comical phrase “correct horse battery staple”.
1Password’s Watchtower has many useful features related to monitoring the security of your account passwords and your use of two factor authentication (2FA).
You can learn more about Troy Hunt’s Pwned Passwords API here and here. Also, check out Junade Ali’s post on the Cloudflare blog about why and how he proposed the Pwned Passwords API should use k-anonymity.
Conor mentions the NIST special publication 800-63B, which contains password best practices.
1Password has a $100k bug bounty hosted on BugCrowd.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/008-pilar-garcia-of-1password.

#007 - SOUPS 2019 - Part 2

Conor Gilsenan — Fri, 16 Aug 2019 22:35:00 -0400

Yixin Zou
1. Social: @yixinzou1124
2. University: School of Information at University of Michigan
3. Paper: An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 Websites
Karoline Busse
1. Social: @kb_usec
2. University: Institute of Computer Science 4 Security and Networked Systems at University of Bonn
3. Paper: Replication: No One Can Hack My Mind Revisiting a Study on Expert and Non-Expert Security Practices and Advice
Anthony Vance
1. Social: @anthonyvance, anthonyvance.com
2. University: Center for Cybersecurity of the Fox School of Business at Temple University in collaboration with Neuro Security Lab at Brigham Young University
3. Paper: The Fog of Warnings: How Non-essential Notifications Blur with Security Warnings
Sarah Pearman and Shikun Aerin Zhang
1. Social: in/sarahpearman, sarahpearman.com
2. University: CyLab at Carnegie Mellon University
3. Paper: Why people (don’t) use password managers effectively
Kyle Crichton
1. Social: in/kyle-crichton-81b72359
2. University: CyLab Usable Privacy and Security (CUPS) Laboratory at Carnegie Mellon University
3. Paper: Incentives for Enabling Two-Factor Authentication in Online Gaming

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/007-soups-2019-part-2

#006 - SOUPS 2019 - Part 1

Conor Gilsenan — Fri, 16 Aug 2019 19:00:00 -0400

Miranda Wei
1. Twitter: @_weimf
2. University: Security and Privacy Research Lab at University of Washington (work done at SUPERgroup at University of Chicago)
3. Paper: “What was that site doing with my Facebook password?” Designing Password-Reuse Notifications
Eva Gerlitz
1. University: Institute of Computer Science 4 Security and Networked Systems at University of Bonn
2. Paper: "If you want, I can store the encrypted password." A Password-Storage Field Study with Freelance Developers
Mariano Di Martino
1. Twitter: @dimartinomar
2. University: Expertise Center for Digital Media (EDM) at Hasselt University
3. Paper: Personal Information Leakage by Abusing the GDPR 'Right of Access'
Elham Al Qahtani
Andreas Gutmann
1. Twitter: @kryptoandi
2. Company: onespan.com
3. University: Information Security Group at University College London
4. Paper: Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOS

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/006-soups-2019-part-1

#005 - Grading How Companies (In)Securely Store Passwords with Michal Špaček of Password Storage

Conor Gilsenan — Sat, 03 Aug 2019 22:20:00 -0400

Michal Špaček shares the story of how the Password Storage project has convinced hundreds of companies to publicly disclose their password storage practices and assigned each a grade based on how well they follow best practices.

We discuss hashing algorithms and the technology behind storing passwords securely. Learn why a company who follows the technical best practices might still not earn an A grade if they do not have a public disclosure, or if they rely on an Invisible Disclosure.

We compare the Password Storage project to other fantastic security tools, including SSL Labs and Mozilla Observatory.

Michal outlines how the grading criteria will change in the short term, highlights the desire to get more companies included in the data set, and contemplates how the project will continue to grow over time.

This episode was initially published in August 2019, the 5 year anniversary of Michal’s talk at BSides Las Vegas 2014, which planted the seeds that eventually grew into the Password Storage project. Happy birthday, Password Storage!

Social media & website

Twitter: @PasswordStorage, @spazef0rze
Website: Password Storage disclosures, michalspacek.com

Resources mentioned in episode

Michal launched Password Storage at BSides Las Vegas in 2016. You can see the slides from his talk here.
Bruce K. Marshall is a researcher and consultant dedicated to improving the application of authentication technologies, products, and good practices. He founded PasswordResearch.com to better share the password information he was collecting.
- You can find Bruce on Twitter @PwdRsch.
Michal’s wrote an article titled “Upgrading existing password hashes” that explains how to gracefully migrate passwords hashed with a legacy algorithm to a secure and modern algorithm.
To get your website listed in the Password Storage project, check out the FAQ.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/005-michal-spacek-of-password-storage

#004 - Product Managers: The Polyglot Communication Hubs That Improve Your Products with Simon Moffatt of ForgeRock

Conor Gilsenan — Thu, 18 Jul 2019 17:20:00 -0400

Simon Moffatt, a Technical Product Manager at ForgeRock, joins me to discuss why a Product Manager is a critical role within any organization that aims to create usable security and privacy technologies. We discuss what, exactly, a PM actually does and why they are the critical hub between all departments, teams, and areas of the business.

While most companies have a never ending list of TODO items, Simon explains why it is important to have a DO NOT list.

Should PMs come from a technical background, a sales background, or is it better to be a polyglot with a range of experience? How can companies create product road maps that they will actually stick to and avoid the trap of sales-driven engineering?

We also discuss security compliance and how market failures lead to standards and regulation to protect end-users.

Social media & website

Twitter: @SimonMoffatt, @ForgeRock
Website: simonmoffatt.com, forgerock.com
LinkedIn: @simonmoffatt

Resources mentioned in episode

Simon mentions how The Lean Startup advocates a quick learning cycle to capitalize on user feedback to improve your products.
Simon also writes articles on The Cyber Hut.

You can find the host of The All Things Auth Podcast on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/004-simon-moffatt-of-forgerock

#003 - End-to-end Encrypted Chat Without Getting Snooped On with Max Krohn of Keybase

Conor Gilsenan — Thu, 04 Jul 2019 09:30:00 -0400

Keybase is a Slack-like app that supports chat and file sharing, but it is fully end-to-end encrypted. You might be familiar with other well known apps that support end-to-end encryption, like WhatsApp and Signal, but Keybase has a fundamentally different security architecture. Max explains why this is so important and helps us understand the cryptography that makes the service work.

Before starting Keybase, Max was the co-founder of OkCupid. He shares the story about how he went from running a dating app to focusing on making public key cryptography approachable for the average internet user. Towards the end of our conversation, we discuss how Keybase approaches user research, how Keybase makes enough money to keep the lights on, and how they plan to grow the service in the future.

Social media & website

Website: keybase.io
Twitter: @keybaseio, @maxtaco
Keybase: @max
- After installing Keybase, you can request to join the team keybasefriends.

Resources mentioned in episode

Keybase Blog
- The post Keybase's New Key Model explains how you cryptographically link all of your devices so that you can use Keybase on all of your devices at the same time.
- The post Introducing Keybase Teams explains the user experience and underlying cryptography that powers the Keybase teams functionality.
- In Keybase is not softer than TOFU, Keybase explains what Trust on First Use means and how Keybase approaches this problem differently than any other app providing end-to-end encrypted communication.
The Keybase documentation contains technical explanations of how Keybase is designed and architected.
The Verge: Google, WhatsApp, and Apple slam GCHQ proposal to snoop on encrypted chats

You can find Conor, the host, on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/003-max-krohn-of-keybase

#002 - Your Phone is a Phishing Resistant Security Key with Alex Grinman of Kryptco

Conor Gilsenan — Thu, 20 Jun 2019 17:45:00 -0400

Alex shares the story of how Krypton first started as a secure messaging app, then evolved to help developers manage SSH keys, and today aims to make phishing resistant two factor authentication a realistic option for average internet users.

We get Alex’s thoughts on Google’s recent focus on allowing Android phones to be used as security keys, what happens if you lose your phone, and different approaches to account recovery.

Social media & website

Kryptco: krypt.co, @kryptco, hello@krypt.co
Alex Grinman: www.alexgr.in, @alexgrinman

Resources mentioned in episode

Phishing resistant two factor authentication (2FA) comes from implementing the FIDO2: WebAuthn & CTAP specifications.
Krypton’s blog post, Our Zero-Trust Infrastructure, explains how the Krypton app pairs your phone to your browser to guarantee secure communication.
You can find all of Kryptco’s open source software on GitHub.
Google Security Blog - Advisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys

You can find Conor, the host, on Twitter @conorgil.

Canonical URL: https://allthingsauth.com/podcast/002-alex-grinman-of-kryptco

#001 - Open-source Hardware Security Keys with Conor Patrick of SoloKeys

Conor Gilsenan — Thu, 06 Jun 2019 00:46:00 -0400

Conor explains what security keys are and why they provide a stronger level of security than other methods of 2FA. He shares the story about how he created and sold his first open-source security key on Amazon while he was an undergraduate studying Computer Engineering and how that project evolved into a wildly successful Kickstarter project that launched SoloKeys the company.

Towards the end of the conversation, Conor shares his thoughts on the recent trend of using phones as security keys and highlights Somu, the next exciting product that he and his team are working on right now.

Social media & website

SoloKey’s Twitter: @SoloKeysSec
SoloKeys website
Conor Patrick’s Twitter: @_conorpp

Resources mentioned in episode

Phishing resistance two factor authentication (2FA) comes from implementing the FIDO2: WebAuthn & CTAP specifications.
U2F Zero security key
- In his blog post, Designing and Producing 2FA tokens to Sell on Amazon, Conor explains how he created and sold an open source security key named U2F Zero while an undergrad in university.
- You can access the hardware designs and software in the GitHub repo conorpp/u2f-zero.
- You can build your own U2F Zero by following the instructions in the Build a U2F Token wiki page.
SoloKey security key
- SoloKeys, the company, launched after raising $125,000 in a hugely successful Kickstarter project.
- In his blog post, Designing Solo, a new U2F/FIDO2 Token, Conor explains
- The hardware and software for SoloKey’s open source hardware security key, Solo, is available in the GitHub repo solokeys/solo.
Google Security Blog: Now generally available: Android phone’s built-in security key
NitroKey security key
- NitroKey, a commercial provider of security keys, based their open source U2F security key on Conor’s U2F Zero project. You can access the Nitrokey firmware and hardware in the GitHub repo Nitrokey/nitrokey-fido-u2f-firmware.
- NitroKey is also building security keys based on SoloKey’s current design as well.
Somu: A tiny FIDO2 security key for two-factor authentication and passwordless login

Canonical URL: https://allthingsauth.com/podcast/001-conor-patrick-of-solokeys