The All Things Auth Podcast

Social media & website connect@usable.tools@global_ashm@USABLE_toolsusable.toolsResources mentioned in episode Where did USABLE come from?USABLE GuidebookUSABLE blogSimply SecureOKTHANKSAccessibility LabMailvelopeMailvelope BlogpersonasSecure DropOrbotKeePass XCYou can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/010-ashley-fowler-of-usable-tools.

Social media & website @shehackspurpledev.to/shehackspurple Resources mentioned in episode Tangerine BankWealthSimplePayPalMulti-Factor Authentication (MFA)twofactorauth.org2FA NotifierAzure sharedJessy Irwin You can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/009-tanya-janca-of-microsoft.

Social media & website @1password1password.comResources mentioned in episode 1Password’s White PaperXKCD comic on password strengthWatchtowerPwned Passwords APIherehereJunade Ali’s post on the Cloudflare blogNIST special publication 800-63B$100k bug bounty You can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/008-pilar-garcia-of-1password.

Social:@yixinzou1124University:School of Information at University of MichiganPaper:An Empirical Analysis of Data Deletion and Opt-Out Choices on 150 WebsitesSocial:@kb_usecUniversity:Institute of Computer Science 4 Security and Networked Systems at University of BonnPaper:Replication: No One Can Hack My Mind Revisiting a Study on Expert and Non-Expert Security Practices and AdviceSocial:@anthonyvanceanthonyvance.comUniversity:Center for Cybersecurity of the Fox School of Business at Temple UniversityNeuro Security Lab at Brigham Young UniversityPaper:The Fog of Warnings: How Non-essential Notifications Blur with Security WarningsSocial:in/sarahpearmansarahpearman.comUniversity:CyLab at Carnegie Mellon UniversityPaper:Why people (don’t) use password managers effectivelySocial:in/kyle-crichton-81b72359University:CyLab Usable Privacy and Security (CUPS) Laboratory at Carnegie Mellon UniversityPaper:Incentives for Enabling Two-Factor Authentication in Online Gaming You can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/007-soups-2019-part-2

Twitter:@_weimfUniversity:Security and Privacy Research Lab at University of WashingtonSUPERgroup at University of ChicagoPaper:“What was that site doing with my Facebook password?” Designing Password-Reuse NotificationsUniversity:Institute of Computer Science 4 Security and Networked Systems at University of BonnPaper:"If you want, I can store the encrypted password." A Password-Storage Field Study with Freelance DevelopersTwitter:@dimartinomarUniversity:Expertise Center for Digital Media (EDM) at Hasselt UniversityPaper:Personal Information Leakage by Abusing the GDPR 'Right of Access'University:Lab of Information Integration, Security and Privacy (LIISP) at UNC CharlottePaper: Messaging Campaigns for Motivating Users to Adopt Duo at a University Paper:The Effectiveness of Fear Appeals in Increasing Smartphone Locking Behavior among Saudi ArabiansTwitter:@kryptoandiCompany:onespan.comUniversity:Information Security Group at University College LondonPaper:Taken Out of Context: Security Risks with Security Code AutoFill in iOS & macOSYou can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/006-soups-2019-part-1

Michal Špaček shares the story of how the Password Storage project has convinced hundreds of companies to publicly disclose their password storage practices and assigned each a grade based on how well they follow best practices. We discuss hashing algorithms and the technology behind storing passwords securely. Learn why a company who follows the technical best practices might still not earn an A grade if they do not have a public disclosure, or if they rely on an Invisible Disclosure. We compare the Password Storage project to other fantastic security tools, including SSL Labs and Mozilla Observatory. Michal outlines how the grading criteria will change in the short term, highlights the desire to get more companies included in the data set, and contemplates how the project will continue to grow over time. This episode was initially published in August 2019, the 5 year anniversary of Michal’s talk at BSides Las Vegas 2014, which planted the seeds that eventually grew into the Password Storage project. Happy birthday, Password Storage! Social media & website @PasswordStorage@spazef0rzePassword Storage disclosuresmichalspacek.comResources mentioned in episode herePasswordResearch.com@PwdRschUpgrading existing password hashesthe FAQ You can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/005-michal-spacek-of-password-storage

Simon Moffatt, a Technical Product Manager at ForgeRock, joins me to discuss why a Product Manager is a critical role within any organization that aims to create usable security and privacy technologies. We discuss what, exactly, a PM actually does and why they are the critical hub between all departments, teams, and areas of the business. While most companies have a never ending list of TODO items, Simon explains why it is important to have a DO NOT list. Should PMs come from a technical background, a sales background, or is it better to be a polyglot with a range of experience? How can companies create product road maps that they will actually stick to and avoid the trap of sales-driven engineering? We also discuss security compliance and how market failures lead to standards and regulation to protect end-users. Social media & website @SimonMoffatt@ForgeRocksimonmoffatt.comforgerock.com@simonmoffattResources mentioned in episode The Lean StartupThe Cyber Hut You can find the host of The All Things Auth Podcast on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/004-simon-moffatt-of-forgerock

Keybase is a Slack-like app that supports chat and file sharing, but it is fully end-to-end encrypted. You might be familiar with other well known apps that support end-to-end encryption, like WhatsApp and Signal, but Keybase has a fundamentally different security architecture. Max explains why this is so important and helps us understand the cryptography that makes the service work. Before starting Keybase, Max was the co-founder of OkCupid. He shares the story about how he went from running a dating app to focusing on making public key cryptography approachable for the average internet user. Towards the end of our conversation, we discuss how Keybase approaches user research, how Keybase makes enough money to keep the lights on, and how they plan to grow the service in the future. Social media & website keybase.io@keybaseio@maxtaco@maxkeybasefriends Resources mentioned in episode Keybase's New Key ModelIntroducing Keybase TeamsKeybase is not softer than TOFUKeybase documentationGoogle, WhatsApp, and Apple slam GCHQ proposal to snoop on encrypted chats You can find Conor, the host, on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/003-max-krohn-of-keybase

Alex shares the story of how Krypton first started as a secure messaging app, then evolved to help developers manage SSH keys, and today aims to make phishing resistant two factor authentication a realistic option for average internet users. We get Alex’s thoughts on Google’s recent focus on allowing Android phones to be used as security keys, what happens if you lose your phone, and different approaches to account recovery. Social media & website krypt.co@kryptcohello@krypt.cowww.alexgr.in@alexgrinmanResources mentioned in episode FIDO2: WebAuthn & CTAPOur Zero-Trust Infrastructureon GitHubAdvisory: Security Issue with Bluetooth Low Energy (BLE) Titan Security Keys You can find Conor, the host, on Twitter @conorgil. Canonical URL: https://allthingsauth.com/podcast/002-alex-grinman-of-kryptco

Conor explains what security keys are and why they provide a stronger level of security than other methods of 2FA. He shares the story about how he created and sold his first open-source security key on Amazon while he was an undergraduate studying Computer Engineering and how that project evolved into a wildly successful Kickstarter project that launched SoloKeys the company. Towards the end of the conversation, Conor shares his thoughts on the recent trend of using phones as security keys and highlights Somu, the next exciting product that he and his team are working on right now. Social media & website @SoloKeysSecSoloKeys website@_conorppResources mentioned in episode FIDO2: WebAuthn & CTAPDesigning and Producing 2FA tokens to Sell on Amazonconorpp/u2f-zeroBuild a U2F TokenKickstarter projectDesigning Solo, a new U2F/FIDO2 Tokensolokeys/soloNow generally available: Android phone’s built-in security keyNitrokey/nitrokey-fido-u2f-firmwareSomu: A tiny FIDO2 security key for two-factor authentication and passwordless login Canonical URL: https://allthingsauth.com/podcast/001-conor-patrick-of-solokeys