kelley robinson

Talks

What if we had TLS for phone calls? An introduction to SHAKEN/STIR

Slides | Video

If you've noticed a surge in unwanted robocalls from your own area code in the last few years, you're not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it's time to address the problem. This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We'll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

Conferences

Designing customer account recovery in a 2FA world

Slides | Video

You've built login for your application—and even added 2FA—but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? This session will show how to accommodate account recovery when the user has 2FA enabled while minimizing account takeover and support overhead. At Twilio, we provide a free consumer 2FA service via the Authy App. We've spent over seven years thinking about account recovery, refining the process, and designing our system to balance the support burden with necessary friction. During that time I've tracked dozens of other account recovery procedures to learn how everyone from utility companies to crypto startups attempt to re-verify identity when life happens. This talk will look at that research and outline best practices you can use depending on your industry and customer risk profile. Security keys and app based authentication are great until the user loses the device but SMS 2FA is too insecure to use as the only account recovery mechanism. Since phone support is commonly used for account recovery, we'll highlight how to build guardrails for your call center agents to minimize costs and delight customers. You'll leave understanding the trade-offs of mechanisms for 2FA recovery (like government ID verification, forced waiting periods, security questions) and debating the value of recovery tokens.

Conferences

2FA in 2020 and Beyond

Slides | Video

Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data driven analysis of the tradeoffs between the different types of factors available. Join us as we explore the modern landscape of 2FA and debate the relative merits of SMS and its alternatives. We'll dive into a detailed comparison of methods like SMS, Soft Tokens, Push Authentication, and WebAuthn. From cryptographic security strength to end-user experience, we will break down the benefits and downsides for the different methods and provide guidance for choosing the right methods for your business. Finally, we'll walk through some real world examples of how different organizations implemented 2FA and provide a framework for threat modeling customer authentication.

Conferences

Contact Center Authentication

Slides | Video

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product? Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

Conferences

Practical Cryptography

Slides | Video

From TLS to authentication, "crypto" is used for a lot more than just currencies. In 2018 security should be part of every engineer's toolkit and cryptography is a foundation we can master together. This talk will dive into modern cryptography theory, the math behind how it works, and its everyday use cases. By looking at the origins of cryptography we'll follow the progression of methods and algorithms as humans and computers evolved. You'll leave understanding the difference between symmetric and asymmetric cryptography, why you would have a public and private key, and how those get used in a variety of applications. This will *not* be a talk about bitcoin, but will dive into how cryptography helps secure anonymous transactions and keeps your identity and data safe.

Conferences

2FA, WTF?

Slides | Video

In an age when a new data breach is revealed with frightening regularity, developers have a responsibility to secure our applications' user data more than ever. But fear not, YOU have the power to deter the hackers! You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the one that's right for your application. Together, we'll make the web a more secure place.

Conferences

Analyzing Pwned Passwords with Apache Spark

Slides | Video

Apache Spark aims to solve the problem of working with large scale distributed data -- and with access to over 500 million leaked passwords we have a lot of data to dig through. Advancements in the API make running Spark with Scala, Python, or even SQL smoother and faster than ever. This talk will introduce you to Spark and the new way to run queries on structured, distributed data by looking at breached credentials. We'll walk through how to get started with Spark and discuss the tradeoffs for using different abstractions provided by the framework. With the help of live code, we'll find patterns in the password data and look at how you can encourage your users to be more secure. You will see how easy and fast it is to both explore and process data using Spark SQL and leave with the tools to get started with your own distributed data...and a password manager.

Conferences

Why the Free Monad Isn't Free

Slides | Video

Scala developers love to discuss Monads, their metaphors, and their many use cases. Recognizing that monadic design and development patterns have their place, this talk will discuss the price of implementing the Free Monad in your code - spoiler alert - it's not free. We will define the Free Monad (without using complicated category theory!) and give you the confidence to know when it is and is not the answer in your code. We will also discuss some alternatives and their tradeoffs in maintainability, performance and design.

Conferences

Demystifying Scala

Slides | Video

It’s functional, it’s object oriented, it’s everything you never knew you wanted and more! Scala has been growing in popularity over the last 15 years and has now taken off in a variety of applications ranging from data science to distributed systems to messaging and the web. You’ve been curious about this language, and now is your chance to learn more. Whether you’re a seasoned programmer or a beginner, a veteran on the JVM or just had to google that acronym, this talk will provide an introduction to the Scala language, why people use it, and why you might be interested in learning more. We’ll walk through the pros and cons of the language ecosystem and give you a practical look at how to get started.

Conferences

Functional Programming Essentials

Slides | Video

Scala is often touted as a tool for Functional Programming, but Functional Programming (FP) itself is left to differing and opinionated definitions by many of its practitioners. FP is a well defined approach to writing programs that we will uncover in this talk. It is a style that long predates Scala and many of the modern abstractions that are often referred to as "essential" tools. We will walk through the origins of FP, providing historical context through Lisp and the research that brought us this paradigm. We'll define what FP is and what it is not, looking at how tools like purity and immutability enable the expressions at the heart of FP. Finally we'll talk about practical approaches to Functional Programming in Scala, how you can and why you would use this style in your everyday work. This will _not_ be a talk about monads and type systems, but give you a pragmatic look at how to separate the syntactic sugar from the underlying principles.

Conferences

© 2020