kelley robinson

You've built login for your application, but what happens when a customer upgrades their phone, loses their device, or otherwise gets locked out of their account? With an increasing number of consumer applications adopting Passkeys, account recovery is still a consideration. This session will show how to accommodate account recovery for passwordless solutions while minimizing account takeover and support overhead. I've tracked dozens of account recovery procedures to learn how everyone from utility companies to crypto startups attempt to re-verify identity when life happens. This talk will look at that research and outline best practices you can use depending on your industry and customer risk profile.

This talk was given at Authenticate 2024.

I talk with Twilio co-founder and CEO Jeff Lawson about Generative AI and how Twilio can use LLMs to create better customer experiences.

This talk was given at Twilio SIGNAL 2023.

SMS pumping causes inflated traffic to your app with the intent to make money and not to steal information. Unfortunately this means you might be hit with higher than expected bills from your telecom provider if your application isn't designed to prevent it. Learn what SMS pumping is, how it compares to similar attacks like IRSF, and how fraudsters profit from this tactic. You'll learn strategies to prevent the attack and improve your phone verification workflow in the process, ensuring all of the benefits of phone number verification without unintended expenses.

This talk was given at Authenticate 2022.

Authentication needs to be usable for it to be successful. Unfortunately, passwords are pretty insecure. Not only do some users choose guessable passwords but they tend to use them all over the internet as well. 2FA adds an extra layer of security by requiring at least two types of authentication. Like all security, authentication is all about finding the right balance between usability and friction. In this video Kelley walks through the why's and how's behind 2FA, some data around implementation stats, and the different options for adding 2FA to your applications.

At Twilio, we provide a free consumer 2FA service via the Authy App. We've spent over seven years thinking about account recovery, refining the process, and designing our system to balance the support burden with necessary friction. During that time I've tracked dozens of other account recovery procedures to learn how everyone from utility companies to crypto startups attempt to re-verify identity when life happens. This talk will look at that research and outline best practices you can use depending on your industry and customer risk profile. Security keys and app based authentication are great until the user loses the device but SMS 2FA is too insecure to use as the only account recovery mechanism. Since phone support is commonly used for account recovery, we'll highlight how to build guardrails for your call center agents to minimize costs and delight customers. You'll leave understanding the trade-offs of mechanisms for 2FA recovery (like government ID verification, forced waiting periods, security questions) and debating the value of recovery tokens.

This talk was given at BSides SF 2023, Northsec 2020 and Identiverse 2020.

If you've noticed a surge in unwanted robocalls from your own area code in the last few years, you're not alone. The way telephony systems are set up today, anyone can spoof a call or a text from any number. With an estimated 85 billion spam calls globally, it's time to address the problem. This talk will discuss the latest advancements with STIR (Secure Telephone Identity Revisited) and SHAKEN (Signature-based Handling of Asserted information using toKENs), new tech standards that use well accepted public key cryptography methods to validate caller identification. We'll discuss the path and challenges to getting this implemented industry wide, where this tech will fall short, and what we can do to limit exposure to call spam and fraud in the meantime.

This talk was given at Shmoocon 2020 and OWASP AppSec California 2020.

Security professionals agree: SMS based Two-factor Authentication (2FA) is insecure, yet thousands of companies still employ this method to secure their customer-facing applications. This talk will look at the evolution of authentication and provide a data driven analysis of the tradeoffs between the different types of factors available. Join us as we explore the modern landscape of 2FA and debate the relative merits of SMS and its alternatives. We'll dive into a detailed comparison of methods like SMS, Soft Tokens, Push Authentication, and WebAuthn. From cryptographic security strength to end-user experience, we will break down the benefits and downsides for the different methods and provide guidance for choosing the right methods for your business. Finally, we'll walk through some real world examples of how different organizations implemented 2FA and provide a framework for threat modeling customer authentication.

This talk was given at BSides SF 2020 and GOTO Chicago 2020.

You've built login for your application—maybe you even have 2FA—but what happens when a customer calls the support number listed on your website or product? Security teams and app developers have thought a lot about online authentication, but we haven't applied the same rigor to designing systems for authenticating over the phone. At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This talk will take a look at that research and outline best practices you can use in your own call centers. You'll leave the session understanding what information should be made available to the agent and what kind of product features you can build into your web or mobile application that can facilitate phone authentication.

This talk was given at BSides SF 2019 and OWASP AppSec California 2019.

From TLS to authentication, "crypto" is used for a lot more than just currencies. Security should be part of every engineer's toolkit and cryptography is a foundation we can master together. This talk will dive into modern cryptography theory, the math behind how it works, and its everyday use cases. By looking at the origins of cryptography we'll follow the progression of methods and algorithms as humans and computers evolved. You'll leave understanding the difference between symmetric and asymmetric cryptography, why you would have a public and private key, and how those get used in a variety of applications. This will *not* be a talk about bitcoin, but will dive into how cryptography helps secure anonymous transactions and keeps your identity and data safe.

This talk was given at GOTO Chicago 2019, Twilio SIGNAL 2018 and PyGotham 2018.

In an age when a new data breach is revealed with frightening regularity, developers have a responsibility to secure our applications' user data more than ever. But fear not, YOU have the power to deter the hackers! You may recognize Two-factor Authentication (2FA) as an additional safeguard for protecting accounts, but do you really know how it works? This talk will show you how to implement One Time Passwords (including what's happening under the hood of those expiring tokens) and even provide a legitimate use case for QR codes! You'll come away recognizing the different approaches to implementing a 2FA solution and have a better understanding of the one that's right for your application. Together, we'll make the web a more secure place.

This talk was given at DC ISSA Meetup May 2019, PyBay 2018 and SF Python Meetup December 2017.

Apache Spark aims to solve the problem of working with large scale distributed data -- and with access to over 500 million leaked passwords we have a lot of data to dig through. Advancements in the API make running Spark with Scala, Python, or even SQL smoother and faster than ever. This talk will introduce you to Spark and the new way to run queries on structured, distributed data by looking at breached credentials. We'll walk through how to get started with Spark and discuss the tradeoffs for using different abstractions provided by the framework. With the help of live code, we'll find patterns in the password data and look at how you can encourage your users to be more secure. You will see how easy and fast it is to both explore and process data using Spark SQL and leave with the tools to get started with your own distributed data...and a password manager.

This talk was given at GrrCon 2018, GOTO Chicago 2018, SF OWASP Meetup July 2018, SciPyLadies Meetup June 2018 and Scala Days 2018 (New York and Berlin).

Scala developers love to discuss Monads, their metaphors, and their many use cases. Recognizing that monadic design and development patterns have their place, this talk will discuss the price of implementing the Free Monad in your code - spoiler alert - it's not free. We will define the Free Monad (without using complicated category theory!) and give you the confidence to know when it is and is not the answer in your code. We will also discuss some alternatives and their tradeoffs in maintainability, performance and design.

This talk was given at Scala Days New York 2016, Curry On Rome 2016, Code Mesh 2016 and LX Scala 2017.

It's functional, it's object oriented, it's everything you never knew you wanted and more! Scala has been growing in popularity over the last 15 years and has now taken off in a variety of applications ranging from data science to distributed systems to messaging and the web. You've been curious about this language, and now is your chance to learn more. Whether you're a seasoned programmer or a beginner, a veteran on the JVM or just had to google that acronym, this talk will provide an introduction to the Scala language, why people use it, and why you might be interested in learning more. We'll walk through the pros and cons of the language ecosystem and give you a practical look at how to get started.

This talk was given at GOTO Chicago 2017.

Scala is often touted as a tool for Functional Programming, but Functional Programming (FP) itself is left to differing and opinionated definitions by many of its practitioners. FP is a well defined approach to writing programs that we will uncover in this talk. It is a style that long predates Scala and many of the modern abstractions that are often referred to as "essential" tools. We will walk through the origins of FP, providing historical context through Lisp and the research that brought us this paradigm. We'll define what FP is and what it is not, looking at how tools like purity and immutability enable the expressions at the heart of FP. Finally we'll talk about practical approaches to Functional Programming in Scala, how you can and why you would use this style in your everyday work. This will _not_ be a talk about monads and type systems, but give you a pragmatic look at how to separate the syntactic sugar from the underlying principles.

This talk was given at Scala Days 2017 (Chicago and Copenhagen).