BSidesSF 2019

Two-factor authentication (2FA) represents a second line of defense against account takeover, and all online services accepting passwords should provide 2FA as an option to their users, especially if they deal with sensitive data or money. When implementing 2FA, however, we are faced with several choices that directly impact the user experience, including which methods to support, how and when to introduce them, and more generally how to describe 2FA to users, perhaps with limited technical knowledge.

This talk is structured as a tutorial on how to add 2FA to an existing website, with flows and code samples. It's based on first hand experience implementing 2FA at Pinterest and releasing it globally to millions of users. We cover designing an effective user journey, architecture, and implementation choices including TOTP, push notifications, and FIDO security keys. For completeness, we also cover additional authentication flows such as social login via OAuth or password reset.