Speaker: Dean Saxe, Sr. Security Engineer, Amazon Web Services
Date: Wednesday, June 22, 2022
Location: Denver, CO

Description: All systems that require authentication of users share a common problem: users are human. Users forget or lose their credentials; they lose, reimage, break, or sell hardware with embedded credentials (e.g., a phone or laptop); users lose account access when they lose an email address their account is bound to; in some systems, their credentials expire and need to be reissued.

The common theme is that users need alternative mechanisms to restore access to the accounts whose credentials are unavailable. How exactly do you assess account recovery mechanisms for suitability in your environment? What are the tradeoffs between different mechanisms? How can we nudge users to do the “right” thing? In this session, we review a framework for understanding Account Recovery in the form of an iron triangle centered on three concerns: access continuity, privacy, and security. Using the framework, we’ll review the relative strengths and weaknesses of common account recovery mechanisms, providing a mechanism for teams to reason about their own account recovery mechanisms’ suitability.