4. @kelleyrobinson
“How can we help users avoid harm?
This begins with a clear understanding
of the actual harms they face, and a
realistic understanding of their
constraints.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
21. @kelleyrobinson
“It is mainly time, and not money, that
users risk losing when attacked. It is also
time that security advice asks of them.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
23. @kelleyrobinson
1. Compromised factors
(hacked, guessed, or brute forced)
2. Phishing or vishing
🚩 What can go wrong?
https://www.nds.rub.de/media/ei/veroeffentlichungen/2017/01/13/OIDCSecurity_1.pdf
https://tools.ietf.org/html/rfc6819
30. @kelleyrobinson
“We must prioritize advice...Since users
cannot do everything, they must select
which advice they will follow and will
ignore.
”Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
36. @kelleyrobinson
How to drive adoption of MFA
• Profile settings
• Prompt during onboarding
• Have an ICO
40% adoption
100% adoption
2% adoption
37. SMS 2FA is still
better than
no 2FA
@kelleyrobinson
38. “When we exaggerate all dangers we
simply train users to ignore us.
@kelleyrobinson
Cormac Herley, The Rational Rejection of Security Advice by Users (2009)
”
44. @kelleyrobinson
↩ Account recovery
• Use authentication factors instead of identity
(i.e. pin code instead of SSN)
• Use security questions that aren't fact based
(unavailable via OSINT)
http://goodsecurityquestions.com/examples/
46. @kelleyrobinson
ℹ Support costs relative to losses ⬇
💰 Losses due to account takeover ⬇
😈 Number of compromised accounts ⬇
😃 Customer satisfaction ⬆
47. @kelleyrobinson
“Security people are full of morbid and
detailed monologues about the pervasive
catastrophes that surround us.
”James Mickens, This World of Ours