People of Authy: Simon Thorpe
Working at companies like Oracle, Microsoft, and Okta, Simon Thorpe has spent a lot of time understanding and architecting solutions to secure all sorts of information. As Director of Product for Authy, Twilio’s two-factor authentication product, Simon works closely with an international team to deliver our world-class security solution. We thought we’d touch base in between his staff meetings in Bogota and an upcoming speaking engagement just steps from the White House.
AUTHY: According to LinkedIn, you started as a graphic artist for a gaming company. How did you end up as Director of Product at Authy?
SIMON: I’ve always been a big fan of the user experience. How do people interact with computers? It started for me with games, figuring out the user interfaces and working on how best to immerse someone in the gaming world. I then worked for Dell and had to tackle another user interface problem: how do people customize and purchase computers online? When I started at Dell, they had 350 people sitting in a huge room on phones selling computers. Within nine months, my team of about 10 people built a website that sold more computers than the 350 sales guys, mostly because we made the process of computer customization really simple. It was all about a good user experience.
Over the years I’ve worked in many different roles: product management, technical sales, support. But regardless of the role, I’ve always with a keen interest in building technology and solutions that deliver real end-user benefits. You, me, my parents and my children, we all need easier ways to interact with technology.
Agreed! Making technology simple for the general public is super important.
I also love science and maths, and security technology has a lot of science baked in. Cryptography is the cornerstone of so much security software, yet it’s also something that’s hard to give to a user. I once had lunch with Phil Zimmerman, the creator of Pretty Good Privacy (PGP), the most widely used email encryption software. We talked a lot about user interaction and how PGP exposed too much of the complexity of cryptography to the user.
So fast forward to today, and I love what I do. I own the delivery of Authy, a technology that uses security techniques to protect the online logins for millions of users. Since the login is the first step to using an application, the experience must be as smooth as possible. So at Authy, we work hard to create really user-friendly mobile apps and APIs that are easy to implement.
What are your favorite things about the Authy developer community?
Authy developers are well informed. They are the sort of people who end up choosing —and using—Authy because they really know their stuff. They understand, maybe through trial and error, that trying to add 2FA isn’t just as simple as downloading a library off of GitHub. You must support typical user issues like phone number changes and lost devices, and you must keep up to date with security enhancements, like the recent industry trend to move away from SMS and towards the use of one-time passwords. It takes a lot of bandwidth to constantly monitor and test the security and reliability of an implementation. And if your 2FA service stops working due to a bug, a failure to send an SMS, or a security vulnerability, users won’t be able to login to your application. And that’s not a good experience. Authy, in the fact that it’s so simple to implement, allows our community of developers to focus on their business because they know that their user’s security is in good hands.
How has Authy 2FA changed over the years, and what improvements can we expect in 2017?
Authy has always been focused on the user experience. It was designed with multi-device and cloud backup features to get around the problems people had with popular apps like Google Authenticator. But it was initially designed around the “one-time password” idea for 2FA, where someone uses a code that’s valid just once, as part of the login. I don’t need to tell you that this is an awful user experience. So in recent years we’ve launched the much-improved OneTouch feature and we’ve seen this idea validated by companies like Google, who recently launched Google Prompt, and SalesForce, with their Lightning Login service.
For 2017, we have a lot on our roadmap. First, we need to make the next level shift for the mobile apps. We’ve spent a lot of time looking at the API, and now we need to turn our attention once more to the app experience. They lost a little love at the start of the year, and we are very close to releasing some major new user experience enhancements. Then it’s back to the API, which will see some major updates in 2017. I can’t go into detail, but our customers are now demanding more than just 2FA. They want intelligence in their authentication.
What threats or problems must security products like Authy solve for?
The biggest problem is not about security. Security, in many regards, is obvious. You can test for it, design for it, and add numerous elements to a technology to make it secure. But that’s just paperwork. The hardest problem to solve is how people interact with it. Someone, somewhere once told an amusing story about the most secure computer in the world: it has no keyboard, no mouse, no monitor and it’s not connected to any network. Oh… and it’s not switched on. VERY secure computer, but utterly pointless.
People’s behavior is the hardest thing about security. For two reasons. One, they want to be secure, but don’t want it to impact how they use their computers. Two, they don’t pay attention to anything you tell them. Want proof? For the past 3 years, the most popular password was “123456.” Before that, it was “password” which is currently the second most popular password. I don’t expect that to change in 2016.
So creating a secure system that is also easy to use is what’s difficult. That balance between usability and security is a constantly changing target and, when the needle moves too far in either direction, we fail to meet our objective.
Part of Authy’s challenge is to get the software used by developers so that they can protect their user’s accounts. But you also have to motivate user adoption, many of whom still haven’t gotten the message.
Unfortunately, like many things, it’s putting the cart before the horse. 2FA is usually adopted by people after they’ve been hacked. Security is like insurance, you don’t realize you need it until your house burns down. This is true for both application developers and end-users. How do you motivate adoption? Well… we see a few different ways that application owners nudge people into better protecting their information.
- Force them. Some of our customers don’t give users a choice. Take a look at Coinbase, for example. If your account is compromised in Coinbase, you are going to lose money. So 2FA is mandatory. No discussion. You must use 2FA to access your online finances.
- Remind them…often. Some organizations have slowly realized that protecting their customer’s accounts actually protects their business. So they gently pester users to enable 2FA. Every time they login, they remind the user they are not as secure as they could be, and hint at enabling 2FA.
- Scare them. We see this with Authy clients. We’ve also seen horror stories shared on social media. There are many examples of people who lose access to their Twitter, Facebook, LinkedIn accounts—the list goes on and on—only to realize that 2FA was available on those accounts, but never enabled by the user. Sharing these stories provides examples of “this could happen to you.”
You’re speaking at AppSec USA 2016, on “Why using SMS in the authentication chain is risky.” What your presentation will cover?
I can tell you only a little bit. Essentially, using SMS for anything security related is passé. It’s not safe. It’s not cool. It’s just not good enough! And we, our customers, the entire industry, are working hard to move away from using SMS in our security solutions. The challenge is how pervasive it’s become and how easily it can be used. Many of the alternatives to SMS require smartphones that you install software on, or that require a reliable internet connection. SMS is available on nearly every single handset, so it’s sort of entrenched.
My presentation at AppSec USA 2016 is how we, as an industry of developers, can move from SMS to more secure solutions, while still accepting that SMS is valid in certain instances.
Are you still a gamer?
I never left gaming! I play Minecraft with my entire family most weekends and the quality of mobile gaming apps has really increased in recent years. I am also a huge fan of the indie gaming scene. Recently I loved playing SuperHot and Pony Island.
Do gamers have unique online account security needs?
Online gaming actually is driving our product beyond 2FA into transactional security. For example, we’re seeing people using Authy to protect the in-game trading of items or to protect changes to characters. Nothing worse than spending six months building up your online profile to find it get wiped out by someone stealing your credentials and trading out all your items.
Finally, what’s on your reading list?
I spend a bit of time on planes, so I always have a few good reads on my Kindle. Currently, I’m reading:
- The Scrum Field Guide, it’s important to keep fresh on software development techniques.
- The Time Machine, by H.G. Wells. Because it’s a fantastic story that still feels new.
- Ghosts, by Raina Telgemeier. My 8-year-old son just read this and wants me to read it as well!
- A book by my cousin Michael Maloney. Unfortunately, you can’t read it, yet…