Passwords are not Enough

by Greg Baugues

In the video "Passwords are not Enough," presented by Greg Baugues at RailsConf 2015, the urgent need for enhanced security measures in digital applications is explored, particularly through the implementation of two-factor authentication (2FA). Baugues emphasizes that even well-known companies can fall victim to security breaches, citing examples such as a high-profile Twitter incident involving a tech journalist whose accounts were compromised due to inadequate security measures.

Key points discussed include:

- Definition of Two-Factor Authentication: Baugues explains that 2FA adds an extra layer of security by requiring not just a password but also a second factor, typically a code sent to a user’s phone.
- Real-world Security Breaches: He points out that significant security incidents, including breaches involving companies like Slack, underline the necessity for robust security practices among developers.
- The Role of Authy: Following an acquisition, Twilio has teamed up with Authy to provide seamless 2FA integration into applications, making it easier for developers to enhance their app's security.
- Demonstration of Implementation: Baugues provides a live coding session that showcases how to integrate Authy within a Rails application in less than 20 minutes, highlighting the ease of use and effectiveness.
- User Education: He encourages developers and consumers to utilize password managers and check for compromised accounts through services like "Have I Been Pwned?" to bolster personal security.

Baugues concludes with a strong admonition for developers to prioritize the implementation of two-factor authentication to protect user data and trust. He argues that the minor effort required to implement 2FA is minimal compared to the potential damage caused by security breaches, which can lead to loss of user trust and potential lawsuits. His final message is a call-to-action for all developers to take the necessary steps to fortify their applications against evolving security threats.

00:00:12.400 Hello everyone, my name is Greg. First off, thank you so much for coming. There are a ton of great sessions going on, and I know it's been a long two days, so I appreciate you choosing to show up. I work for a company called Twilio, where I serve as a developer advocate.

00:00:37.120 For those of you who haven't heard of Twilio, we're probably best known for making it really easy for developers to send and receive text messages and place and receive phone calls directly from their apps.

00:00:50.239 This is how you can send a text message using Twilio. It requires about three lines of code. You can achieve something similar when making phone calls, as Twilio supports a wide range of use cases—from large-scale applications that build full-fledged call centers to simpler cases like sending a funny selfie.

00:01:21.040 We’ve always been about text messages and phone calls, which is what we've been primarily known for. Recently, we announced video calling, which is super cool. We’re making it as easy to integrate video calling into your apps as it is to integrate SMS and phone calls. If you'd like to get your hands on this early, we're holding a developer conference called 'Signal' in a little under a month in San Francisco. We will have amazing speakers, all focused on the tools and technologies developers are using to change the way we communicate.

00:02:28.080 Now, typically when I get up to give talks, I discuss text messages and phone calls, especially if I'm talking about Twilio. However, today I want to discuss something quite different. About two months ago, we had our first-ever acquisition in Twilio's history. We joined forces with a company called Authy. How many of you have heard of Authy before? It's almost a rhetorical question since I can't see anyone's hands anymore, but Authy makes it really easy to integrate two-factor authentication into your apps.

00:02:50.959 Over the last couple of years, I've become more familiar with two-factor authentication, starting as a consumer through my email account on Gmail. How many of you have two-factor authentication turned on for your email account? It looks like about half of you. How many have two-factor authentication enabled on accounts that are not your Gmail account? It's easy to think of hacking as something that happens to other people, but unfortunately, many stories of significant security breaches come to light every week. While I might feel safe thinking, 'Oh, I don't shop at Target,' or ‘I haven’t used Experian for checking my credit,’ I came across an article in Wired that really crushed my previous misconceptions about security breaches and hacking.

00:04:04.959 The article detailed how a tech journalist with a three-letter Twitter handle, Matt, was hacked. A couple of hackers decided to hack his Twitter account, so they went to his Gmail because gaining access to someone's Gmail account provides access to everything. If you can get into someone's email, you can request password resets for banks, Twitter accounts, etc. Matt did not have two-factor authentication enabled on his Gmail account.

00:04:19.840 The article described how the hacker called Apple claiming to be Matt, stating he couldn't access his me.com email. Apple issued a temporary password despite the caller's inability to answer the security questions set by Matt. They only needed two pieces of information that anyone with an internet connection could discover. Within a few minutes, a password reset email arrived in Matt’s inbox, but he didn't check it. Even if he had, he likely would not have noticed it because the hackers immediately sent it to the trash. They were then able to follow that link to reset his Apple ID password, and soon after, they reset his Gmail and Twitter passwords, remotely wiped his iPhone and MacBook, and deleted his Google account.

00:05:06.480 The lesson here is crucial: the hacker was able to gain access using only two pieces of information, which raises the stakes for all of us. How do hackers retrieve someone’s billing address? An easy way is through a WHOIS lookup on a domain name they own, especially if they have not enabled privacy protection on it. Similarly, they can guess the last four digits of credit card numbers using seemingly innocuous information you might freely provide.

00:05:25.600 This situation is eye-opening, not as a rampant digital scandal but instead shows how easily common information can be manipulated. The hackers demonstrated a basic yet effective strategy without needing advanced techniques or major hacks, which illustrates an alarming vulnerability existing today in our digital world.

00:05:45.760 Which brings me back to my threat from before, the necessity of two-factor authentication. The reality is that many high-profile security incidents are occurring. For instance, just a few weeks ago, there was a compromise involving Slack. They announced that user credentials and hashed passwords were stolen; although they don’t store passwords in plain text, this compromise highlighted an urgent need for increased security measures. The announcement of the incident was remarkably fast followed by the implementation of two-factor authentication, showcasing the increasing importance of this feature in preventing future breaches.

00:06:46.720 There's a compelling argument to be made that every new software service should prioritize strong security, particularly through two-factor authentication these days. This brings us back to Twilio and Authy. I haven’t quite figured out the corporate speak around calling it an acquisition, so let’s say we’re joining forces. Historically, Twilio has been a company that provides developers with tools to build stronger solutions, rather than full-fledged products. Our goal is to give developers APIs that empower them to easily build the solutions the world needs.

00:08:16.720 With Authy on our team, we are now offering a comprehensive solution for two-factor authentication. This is particularly important as many developers already use Twilio's SMS service for two-factor authentication, but the implementation is far from straightforward. There are numerous complicating factors, such as ensuring randomly generated codes cannot be easily predicted and addressing challenges in reaching users in various circumstances, like lack of cellular reception or losing their phones. Therefore, effectively implementing two-factor authentication is more intricate than merely sending a text message with a six-digit code.

00:09:40.640 Let me show you how it's done. Authy’s growth has been impressive since they went through Y Combinator. Their security service is used by major companies, and many customers are well-known in the developer community. I'll illustrate how to integrate Authy into your Rails application in about 15-20 minutes, which is straightforward yet powerful. I worry that many individuals do not realize the importance of using a password manager. Many people reuse passwords across different sites, leading to substantial risks if one gets compromised.

00:10:36.720 If you're uncertain if you've been compromised, using a resource like 'Have I Been Pwned?' is an excellent way to check which accounts might be at risk. Now, I’ll demonstrate the integration process. First, I'll show you how to log in to Coinbase, an example of a site that utilizes two-factor authentication effectively. They utilize both SMS and a Chrome extension that syncs with Authy to verify user identity.

00:12:09.840 Here’s what a streamlined two-factor authentication process looks like. After entering my information, Authy sends an SMS with a token to my phone. Even if I were to lose my phone, the platform offers versatility, allowing the use of multiple devices to authenticate a user. The aim is to bolster security measures across all functionalities, ensuring swift protection against potential threats.

00:13:39.920 Next, I’ll elaborate on how to integrate two-factor authentication into a Rails app. I’ll demonstrate a simple Rails application I built. For many developers, implementing authentication can be an early challenge. You can zero in on options like using different gems, which greatly facilitate this process, especially if your goal is connecting through OAuth with providers like Google or Facebook.

00:14:57.440 I’ll guide you through the code utilized in the registration and authentication processes and demonstrate how to seamlessly integrate Authy into a pre-existing Rails application. We’ll review the user’s schema and ensure that we secure password information effectively, confirming it’s hashed and not stored in plain text. After going through the application setup, I will illustrate my application to showcase how I collect essential user input, including country code and phone number.

00:16:23.440 Once successfully created, users will have access to secured data. The model ensures proper validation occurs for the collected information, keeping it streamlined and effective. Once the user registration is complete, I can demonstrate how data verification with Authy occurs, including the significance of storing user identifiers.

00:18:36.960 When signing in, Authy allows us to generate and send a secure code. The user can then verify their identity by entering that code into our Rails app before they gain access to their accounts.

00:20:53.760 As part of making the two-factor authentication process user-friendly, we also need to develop a verification action, allowing users access once they successfully provide the token sent to them. If they do not enter the correct token, they will not gain access to their accounts, reinforcing the security measures in place.

00:22:00.640 By implementing these practices in a Rails app, we ensure users have a more secure experience. It might be a bit of an increased effort, but the benefits in reducing potential attacks and enhancing user confidence are invaluable.

00:23:27.840 Ultimately, I've shown that in a short amount of time—in about 15-20 minutes—you can successfully integrate two-factor authentication into a Rails app that has an already established authentication system. I encourage all developers, as consumers of the digital landscape, to implement two-factor authentication on their accounts for enhanced security. The increasing incidents are alarming, and adopting this practice is a proactive step towards guarding your digital presence.

00:24:55.680 I hope that one takeaway from today’s talk is to prioritize the implementation of two-factor authentication, as protecting users is absolutely crucial. This investment in security is often dwarfed by the potential repercussions of a data breach, including lawsuits and the loss of user trust.

00:25:29.760 I'm here for any questions you might have, and I appreciate your time and attention.