Over 100 girl geeks attended Okta Girl Geek Dinner to hear lightning talks on product, engineering, UX design, and how to balance security and usability – and accessibility! Speakers include Maggie Law (Director of Product Design), Angie Song and Helen Chen (Software Engineers), Jade Feng (Product Manager), and Sara Daqiq (Developer Support Engineer). This event was recorded on March 20, 2019 at Okta HQ in San Francisco.
Like what you see here? Girl Geek mission-aligned partners are hiring!
Transcript from Okta Girl Geek Dinner:
Angie Chang: Hi, my name is Angie Chang and I’m the founder of Girl Geek X. I want to thank you all for coming out to Okta tonight. How many of you here it’s your first Girl Geek dinner? Oh wow. How many of you here have been to more than five Girl Geek dinners? Six? Seven, eight, nine. Okay. Ten. Oh wow, we have a few. Okay. I was going to say, the last one standing will get a pair of socks. But, how do we pick this?
Gretchen DeKnikker: Why did you play that game? Say 11.
Angie Chang: 11? All right. I’m going to have to find you and email you, mail you a pair of socks. Really? Oh my God. Thanks for coming. Find me afterwards.
Gretchen DeKnikker: Or we can just come up with two pairs of socks.
Angie Chang: I want to tell a story about why these dinners are important to have week after week at various companies up and down the San Francisco Bay Area. So, for example, I’m really thrilled when I hear about successes as someone got a job from a Girl Geek dinner. And I’m going to be having lunch next week at Stripe with a girl who’s working as a data scientist there, and she said, “I got my job here because of a Girl Geek dinner a year ago.” And I was like, “Wow.” And she’s like, “Yeah. So I went to the dinner because I had just finished a coding bootcamp, and then I talked to one of the speakers, because she inspired me, and then we grabbed coffee. And then we were grabbing coffee back at the office, and I asked her for an internship, and she said, ‘Let me ask this guy right here since he runs the data science team.’ So he said, ‘I don’t have internships. I have jobs. Send me a resume.'” So now she works there.
Angie Chang: So the things that will happen when you talk to people. So I encourage you to make friends, make connections, talk to recruiters, and make the most of this night. Thank you for coming.
Gretchen DeKnikker: Hey. I’m Gretchen. Definitely, if you have got a job through a Girl Geek dinner, come tell us because we love to promote those. If you come and tell us it helps people who are trying to organize a dinner at their own company like walk in with a little more like heft of like, “I have all of the stats, and you must do this because it will be amazing.” And obviously it will be, right? Like look what a nice job. Do you guys love this office?
Gretchen DeKnikker: Like I want to come work just to be and have that awesome view. This is amazing. Yeah. So, we do have a couple other things going on right now. We just launched a podcast like, I don’t know, two months ago. Maybe. And like episode six just came out and it’s on becoming a manager. So they’re every two weeks and the next one is on bias in hiring, which is my favorite one that we’ve done so far. And I think a really awesome one. So definitely subscribe, check it out, tell us what you think, because we’ve never done a podcast before. So it might suck. And it would just be cool to know that sooner rather than later. So we can make it better!
Gretchen DeKnikker: All right. And then soon we’re going to have a monthly webcast. So I don’t know if you guys got to come to our International Women’s Day Elevate event last week, or a week before? Week before. We had like 2,500 people sign up and 1,000 came. And we had these amazing speakers. We’ll put out the videos soon. So, keep an eye out. There’s like lots more content and lots more ways to engage with us other than coming here. But please come to these because we love meeting you all in person. All right, so I’m going to hand it over to Mindy. Thank you guys so much.
Mindy Lieberman: Welcome everybody. I am Mindy Lieberman. I am the vice president of business systems here at Okta. And I am here to welcome you as your MC to tonight’s Girl Geek dinner. I cannot believe the turnout. This is so amazing to see. And we have a fantastic event lined up for you. We’ve got lightning talks from women from Okta for some fabulous women representing customer … Excuse me. Developer support from product management, from engineering, and from the usability team. My role here tonight is to ease you in gently. I’m going to talk a little bit about Okta, about Okta’s product, about Okta’s culture. I’ll share a little of my own story. Because the great thing about these Girl Geek dinners is they’re not just about learning something new, but they’re about meeting each other, networking, and feeling that Girl Geek power.
Mindy Lieberman: I cannot believe this room is standing room only. That is just like such a fabulous thing to see. So, let’s start with learning about Okta. Just show of hands, how many of you have used Okta or use it now. Whoo!
Mindy Lieberman: Well, you are in good company. Because millions of people use Okta every day. Okta is the leader in identity, and that means that we securely connect customers to the apps and the technology that they use every single day. We have a workforce branch, and what that means is that we’re connecting companies. We are their front door to the apps and technology that they use. So for example, if you’re from Nordstrom, you come in in the morning and you are using Okta to get to your own apps and stuff. And when we say workforce, we’re not just talking about employees. Because we know that increasingly it’s a complicated fabric and network of people who support a company. So it’s partners, it’s contractors, it’s the whole shebang. And that is true not only for Nordstrom but for all of the logos around that circle.
Mindy Lieberman: The Okta experience is you sign in, you authenticate securely, and then it is available through any device, through any browser. And of course we’ve got some really, really rich APIs.
Mindy Lieberman: But wait, there’s more. We also do customer identity. And what that means is we securely authenticate our customers’ customers. So, example, how many of you maybe JetBlue, are in their loyalty program? Okay. Well, if you’re authenticating into JetBlue, guess what’s powering you underneath the covers? Okta. If you have booked a doctor’s appointment on Dignity Health, Okta. If you are logging into the Adobe Creative Cloud, Okta. Right. So we are all about identity.
Mindy Lieberman: And this is a really interesting time. As an IT leader, I mean my role is business systems where we enable internal users with technology to support marketing, customer success, et cetera. So identity really does enable modern IT. Especially now in this era where we’re going wall to wall SaaS. But as well, identity defines the customer experience, because it has to be personalized. And in the middle, of course, is security. And Okta is the vector to enable all of these things.
Mindy Lieberman: But what makes Okta great for me is not just the product, it’s the culture. It is just a fantastic place to work. And one of the things that make Okta so great is our commitment to diversity, inclusion, and belonging. I just want to recognize Madhavi Bhasin. Can you raise your hand in here. Where are you Madhavi? Okay. She’s someplace.
Female: She’s trying to get one last person in here.
Mindy Lieberman: She’s trying to get one last person in here. Okay. So Madhavi is our program manager of Diversity, Inclusion, and Belonging, who recently joined us. And she’s–and her team have a vision about creating this culture of diversity and inclusion. She’s got initiatives to support it, including growth paths for everybody. But I just want to focus for a second on the Okta-spin on this. Because there are lots of companies who are committed to diversity and improving the stats. But the whole notion of belonging, when I first heard that it felt very personal to me. You know, belonging is making sure that no matter who you are you can bring your full identity to work. You can be the same person at the office that you are in your living room, and you can bring with you your gender identity, your ethnicity, your heritage, you know, whatever axis you fall on, you are that whole person, and you come to work and you belong here. It is your family.
Mindy Lieberman: And that is what makes Okta unique. Not only are we committed to diversity and inclusion by hiring the program manager. There’s one more piece of evidence. We have representation here tonight from a whole bunch of our executive staff, who may not be listening at this moment. But I’m going to … Could you please raise your hands. I want to … Ryan Carlson, CMO, in the back, an Okta supporter. Rick-Jean Vecchio, Okta supporter. Krista Copperman. Head of Customer First. Right? Our executives could be anywhere tonight, but they are here supporting the women of Okta with our event. So, special place, I’ve been here for two years. Thank you. Thank you. Because it’s not just talking the talk. It’s walking the walk, and showing up is one of the ways you do that. So, if this all sounds good, which is a really great product at a really great time in the technology history, and a really great culture, well, we want to talk to you. A lot of the women you’re about to see have openings in their group. Okta is growing like gangbusters. We have a recruiting table with schwag over on the side. And the schwag is pretty good. And we’d love to hear more from you. If you’ve got any interest you can find us.
Mindy Lieberman: After the talks we will be mingling, and we’re happy to answer any questions. Before I get to the talks, though, I just want to mention that you should be thinking not only about who these women are, but whether you want to see them as colleagues. Because lots of our women have openings in their own groups. So not only can you maybe picture yourself doing what they’re doing, but you might be able to picture yourself at the desk next door. Okay. Tonight is not just about information, entertainment, technology. It’s also about women, networking, and sharing stories. So to that end I thought I would tell you a little bit about my own. This is one PowerPoint slide of how I got here. And I got to say, like if you look at it in one slide in retrospect it looks like it’s a career journey that kind of makes sense. But it’s only in retrospect. As I stood on every lily pad and jumped to every other lily pad, I promise I was terrified and I did not feel like I knew what I was doing.
Mindy Lieberman: But I do want to share with you one story between Cisco and Salesforce, because I think there’s some lessons that I learned. It was a surprising thing, and I could share that with you guys as well. So Cisco is a place where I spent nine years and change. I came in as an engineer in IT, writing code, and in the course of my nine years just to like keep it interesting I cycled through every single job in IT. I wrote code, I managed people who wrote code, I did architecture, I managed people who did architecture, I did business architecture, I did project management, program management. And I did it across departments.
Mindy Lieberman: So after nine years of sort of going through the circuit I realized I wanted to get back to my engineering roots. And so, resume in hand, I got a 30-minute meeting with my old boss’s boss, who is the ex-CIO of Cisco, who had left Cisco to join a venture capital firm. And I went in there, you know, very sheepish, and I put my resume in front of him and said, “What would it take for you to take me seriously as the VP of engineering?” And I was expecting that he was going to give me, “Well, you need that, this, that, and the other thing, blah, blah, blah, blah.” But to my surprise, and I’m still gobsmacked today, he said, “You know, I’d take you seriously right now. I actually don’t have anything, but I got this friend Bob down the hall and he just opened a new fund and he’s got a Series A company that needs somebody. I think you guys should talk.”
Mindy Lieberman: And so like the story earlier, right place, right time, but also asking the question. I had psyched myself out before that meeting thinking that no was going to be the answer, because I didn’t hit all the criteria. But Pete knew me. And he knew that I had grit and I was smart and I worked hard. And no wasn’t the answer. But it was not the answer partially because I asked the question. So my call to action here to you all tonight, is don’t assume it’s a no. Ask the question. The worst you can hear is not now, or later. But you, also, it could be a yes.
Mindy Lieberman: I heard some statistic once that women won’t apply for a job unless they feel like they meet 80% of the must-have criteria. Men, not so much. So, maybe we can take a page out of that book. So, that’s about me, and about Okta. And now it’s time for the main event, which is our Okta lightning talks. Now, how we’re going to roll tonight is going to bring up our speakers, who will give their talks in succession. After that we will all come back for a panel Q&A. And following that we will be mingling. So we will answer any question, either about the talks or whatever you want to talk about. Career stuff, good places for lunch around here, what do we think of that view, how creepy is it to look across and see everybody like in the Salesforce building. Whatever it is that you feel like talking about we’re down for that plan, okay?
Mindy Lieberman: So thank you so much for showing up. Thank you so much for being Girl Geek X. You are our people. And with that, I will hand it over to Maggie Law.
Maggie Law: Thank you, Mindy. Let’s see here. You’re going to have to remind me to remove that at the end of this, because I’m going to forget. Hmm, wrong direction. Hi. I’m Maggie Law. I’m director of product design here at Okta. And I’m the colleague that you want at the desk next to you. So, I’m going to talk about usability and security tonight. But I thought first I’d give you a sort of meandering tour through my career. I started out in college as a word nerd. I was a classics major. That’s Greek and Latin. And I also took classes in Egyptian hieroglyphics and American sign language. Which prepared me really well for a series of meaningful, sorry, menial jobs in offices for a number of years after that. So to keep it interesting I joined a rock band and I dreamed every day that I could just quit this job and go on tour. But after a few years that didn’t happen.
Maggie Law: There’s one more chapter I’d like to share about my career journey, and I think it will connect with this audience and the Girl Geek X community in general. I volunteer for a local non-profit called the Women’s Audio Mission, WAM for short. So I mentioned earlier that music played a big role in my career in my early days. And now I have a career in technology. And WAM kind of taps into both of those for me. So that’s very exciting. I’m probably preaching to the choir here when I say that it’s really important to expose women to technology and opportunities in technology, to recruit them into tech jobs, to support them and retain them throughout their long careers.
Maggie Law: But how many of you know that there’s been a 70% decline in young women entering college STEM programs? Science, technology, engineering and math. And I’m not talking 70% decline since like the 60s or the 70s. Actually just since 2000. And even more alarming, within the audio industry less than 5% of all the people who hold technical jobs, like audio producers and sound engineers and mixers, are women. These are the people who shape and define how we hear and what we hear in media every day. So WAM exists to solve that problem, training 2,000 women and girls every year in the only two audio recording studios in the world that have been entirely built and are run by women.
Maggie Law: For the women who go through the WAM program, they’re directly going into pipeline for audio professions, and working on that less than 5% statistic. But for the girls who go through the program, these are middle school and high-school-aged girls, mostly girls of color, most from families that are low or very low income. And WAM has a broader plan for them. It’s not necessarily that anyone expects them to grow up and be audio engineers, although that would be great. But it’s really about using music and creativity to expose them to engineering concepts, to STEM principles. And as you can see from this quote they get pretty cocky. And it’s awesome to see, especially at this formative age where they’re sort of deciding whether this is something that’s available to them. So it’s about opening doors for them.
Maggie Law: I’m currently the president of the board of Women’s Audio Mission. So if anyone’s interested in learning about being on the board, come talk to me. So that’s who I am. But how did I get interested in design and user experience specifically? Well, what hooked me in was human-computer interaction. So, the way I think about this is it’s this magical, mysterious, sometimes very awkward zone in which people and computers stare face-to-face and have a conversation. So, the thing is that computers and people are extremely capable. But we’re fundamentally wired differently. So there’s some things that we’re good at that computers are bad at and vice versa. People are emotional, judgemental, rational. We have empathy. And computers are excellent at crunching numbers and regurgitating really complex long strings of characters.
Maggie Law: So that kind of gives you a sense of how that human-computer interaction conversation can be awkward. And so it really federal into my thinking about what usability means. Because it’s when that conversation goes smoothly. So for me as a user, as I’m using something on a computer it’s easy to learn … Oops. I always do this. It’s easy to learn. It’s familiar, and it supports my efforts in performing my tasks.
Maggie Law: Okay. So let me pause for a second and share with you a story that goes back 15 years. It’s something that was really formative for me as a designer. I’ve tried to keep it with me throughout my career. And I think it has an important lesson. So it’s about my aunt Mary. She’s my design muse. She’s my father’s sister. She’s a professional potter. And she’s one of the smartest people I know. And about 15 years ago … Oh. She also wears the label Luddite like a badge of honor. She’s not an early adopter at all. But she will use technology when she has to. We probably all know someone like this.
Maggie Law: So about 15 years ago I helped set her up with a new computer. It was actually an old computer. It was my old computer, a hand-me-down that I sold to her for pottery credit. And I set it up on her desk. We were sitting side by side. And I booted it up. And what she said as it booted up really surprised me. She said, “Wow. Just look at that pretty blue.” And I’d seen that pretty blue however many millions of times in the years that I had this computer. But it never really occurred to me that this was a moment of delight. For her it really was.
Maggie Law: Also, I’d forgotten to take some of the files off of the computer. And one of them was a picture of cows I guess that I took with a digital camera called cows.jpg. And she saw that and she said, “Cows jumping!” And she also saw some web files, probably from my website at the time. And she saw HTML. And she said, “Hate mail?” So this was actually a really important moment for me. It was an aha moment, because it made me realize that here we are sitting in front of the same computer having an interaction with it, but we’re bringing completely different perspectives, expectations, levels of computer literacy, and mental models to this UI. And there’s a team of experts who put together a UI that needs to talk to both of us and however many millions of other people.
Maggie Law: So that was important, and it really drove home for me how challenging usability can be. So I’ve talked about usability. Let’s talk about security, and how it’s actually really tightly intertwined with usability. Okay, so first, a security primer. There are three basic concepts that you should know about security: identification, who you are. Authentication, a confirmation that you are in fact who you say you are. And then authorization, what level of access that you’ve been granted.
Maggie Law: So, put in another way, if you think about this as that conversation, it’s as though I could sit in front of a computer and I can say, “Hi, I’m Maggie Law.” And it says, “Oh. Are you? Okay Maggie Law. Prove it.” “Sure, here’s my proof.” I might type in my password or maybe put my finger on a scanner. Yup. Checks out. “I’ll unlock the orange door for you. You can go on.” So this is how we walk through the front door of all kinds of systems, multiple times throughout the day. And it paints our impression of that experience. And these front doors are so prevalent, actually, that a famous UX researcher named Jared Spool once observed that probably the most common Agile user story is: “as a user I want to log in.”
Maggie Law: And so I thought, “That’s really interesting.” I went to Google just to kind of check that. And I typed in, “As a user I want to,” and sure enough it auto-prompted two user stories that were exactly that. And he also added a really helpful, important truth here, which is that no user actually wants to log in. It’s really tedious. It’s friction. And it’s annoying. So, let’s talk about these front doors. Because these front doors are everywhere, as I said. And oftentimes when we think about these front doors the first thing we think about is username and password, right?
Maggie Law: So this is an interesting table. This table shows you the most common passwords eight-years running, right? So remember what I said earlier about how there’s certain things that humans are really bad at, and one of those is regurgitating really long, complicated strings. And it’s why password managers are really important. It’s why Okta’s really important. I see something like this and I think, “This is people desperately trying to make security usable.” And in doing that they’re compromising their security. So it doesn’t help also when you get these convoluted rules that try to force you to make your password more complicated. This is actually taken from a real example. Probably two weeks ago I had to change my password on a local utilities website. And I could not for the life of me figure out why this password was breaking that requirement. At least one of the following. It’s like, it’s got a plus and it’s got a little up caret.
Maggie Law: And I called the technical support. I spent 10 minutes. The two of us took that much time realizing, okay, it’s that hyphen. But nowhere … That rule does not say you can’t use a hyphen. Nowhere does it say you can’t use a hyphen, so.
Maggie Law: This sucks. So, needless to say there’s an enormous cost to when security is not usable. So for example in e-commerce. Oftentimes today, it’s kind of normal that you’ll see guest checkouts. That’s because they’ve learned that if they put all this friction in front of your shopping experience they’re going to lose a customer. Costly tech support. See earlier memo about my experience, 10 minutes on the call. In fact, there was a survey done in 2014 that estimated the cost to businesses for password problems only, just password troubleshooting, was 420 dollars per employee per year. Just passwords.
Maggie Law: And then it gets even worse if the UIs that admins who configure these policies that define how end users get in through these front doors, is not usable because they might make a policy that’s weak, or broken.
Maggie Law: So, I’ll just end by saying is anyone surprised? And this is the sort of thing that Okta focuses on every single day. We are making it easier to get through these front doors, but not compromising on security by taking the burden off of users. So thank you so much. I appreciate it.
Maggie Law: Okay. So next in line. The next lightning talk, Helen Chen and Angie Song.
Maggie Law: [inaudible 00:29:58]. I’m remembering to take my …
Speaker 5: Oh yeah.
Helen Chen: All right. Well, let’s get started. Hi, I’m Helen Chen.
Angie Song: And I’m Angie Song.
Helen Chen: And before we get started on our talk just a little bit … Oh. I pressed the back button. I just want to start by giving a little bit of an intro on us. So for me I had a little bit of an unconventional path to being an engineer. Oh, wait, first. I’m a software engineer here at Okta. I have an unconventional path of coming to here as an engineer. So I actually started off as an inventory planner. I was an inventory planner for a women’s dresses and outerwear at Old Navy and then women’s accessories. And it was while there that I had to do this very time consuming and repetitive task. Hold on one second. Hmm, that was interesting. Oh, [inaudible 00:31:00].
Helen Chen: Something’s telling me my Old Navy experience was kind of sad. Anyways, just kidding. No. I had a great time there. No, I actually really really start heart Old Navy. I’m wearing Old Navy jeans right now. But I had to do this very time consuming and repetitive task. And my manager was fine with me taking time to do it. But I wasn’t. I was like, “I can automate this,” right. “I’m better than just doing a repetitive task.” So I decide to learn enough Visual Basic to be able to automate some of the data cleanup I had to do. And I had so much fun writing code that I quit my job. And went back to school to get my second degree in computer science. And then I came here as an engineer working on our Okta Verify product, which is our version of the Google Authenticator, is a multifactor authentication app on iOS and Android.
Angie Song: Oh. [inaudible 00:31:47]. Hi. My name is Angie and …
Helen Chen: Maybe you can use mine.
Angie Song: All right.
Helen Chen: There we go.
Angie Song: I eventually went to Berkeley, but not as a computer science major. I started with chemical biology but I decided that I did not want to wait around for four-hour lab classes and compilers run much faster. So I eventually switched over to computer science, graduated with a computer science degree, and I have been an engineer since, and I really like where I am right now.
Angie Song: So today I am going to talk about the principles of creating a secure system and give you some examples. Then I’m going to hand off this talk to Helen who is going to talk about how we balance usability and security at Okta in the context of MFA, or multifactor authentication.
Angie Song: So, the first principle of creating a secure system is that security is like a chain. It is only as strong as your weakest link, so that is where you should focus all of your attention on. Though techers will always follow the path of least resistance. If it is easy to get around they will get around it. So there is absolutely no point in installing top-of-the-line deadbolts on a screen door. Because why would I bother picking the lock when I can just bust through the door. Or maybe just punch through a wall. .
Angie Song: In this example, which is my favorite from my college computer security class. A ring of California art thieves completely bypassed the security system that’s installed on doors and windows by taking a chainsaw to the wall. And they just walked right through. And this is not an uncommon attack. I found at least two other examples, one in Chicago and another in Tokyo, where the thieves don’t even bother with the locks and just go straight for the wall. And they just steal everything. So there is absolutely no point in installing a steel fireproof door if your walls are made of brittle plaster.
Angie Song: Which brings us to our next security principal, design security in from the start. At Okta we always ask questions about security in the beginning stages of development, and this is because it is much more difficult to retrofit security into an existing system. A great example of this is actually the internet. In the early days of the internet the only people who had access to internet were researchers from trusted organizations like government organizations or universities. Because of this a lot of the networking protocols that were designed during this era were built on an assumption that everyone on the internet was trustworthy and cooperative. Now that we have four billion users on the internet of varying characters we are now suffering from the consequences of this early naivety. Spam is a very good example. Due to the fact that early mail server architecture was based on open relay model, which meant it required all the servers to accept email from anyone from anywhere.
Angie Song: DNS spoofing is also a very good example, if you’re familiar with it. You go to Facebook.com but you land here instead. It is as if you looked for the Okta office’s address on Google Maps or Yelp, but it just gives you the address to an abandoned warehouse that’s across the town.
Angie Song: It might be because you maybe accidentally opened the wrong map thinking it was Maps, but it was something else. Or maybe the listing, like Yelp listing, was actually compromised at one point. But either way, you go, because you’re the product of early internet era, you have too much trust. Even though the possibility of a map being wrong never occurs to you … Also, since you have never been to Okta’s office, you cannot verify whether this is the right address. So you happily waltz into the abandoned warehouse and it’s not a good day.
Angie Song: And this is exactly why Okta is pushing zero trust. Never trust, always verify, and enforce least privilege. Do not trust someone just because they are inside the building past the security gate. This guy, this 19-year-old, squatted in the AOL office for two months before he got caught. He initially came into the campus for an incubator program that was hosted by AOL. But then he realized his badge still continued to work even after the program ended. So he decided to stay around for the free food and the internet.
Angie Song: In order to avoid getting caught he worked until everybody had left the office. He slept in couches that were outside of the patrol area. And he went to the gym at 7:00 a.m. every morning. Everybody thought that he was an intern with a great work ethic. Never trust. Always verify. And enforce least privilege.
Angie Song: Least privilege isn’t bulletproof, but it does dampen the effects in case of a security breach. But it doesn’t matter how secure your system is if your users are not using it, or even worse, if they’re like using it improperly. So let’s say your company decides to be secure and they decide to start using Okta. But at the same time, they also decide to implement this password policy. Your password needs to be a automatically-generated 17-character-long password with uppercase, lowercase all of the numbers and hyphen and everything. And it needs to be changed every month. What is going to happen is people are going to start writing down their passwords on Post-it notes and then start sticking it out on their monitors because they can’t remember it.
Angie Song: So, you need to make sure that this example illustrates the importance of psychological acceptability. In order to make sure that your secure system is effective you have to make sure it is accepted by your users. Another example that this highlights is that human factors matter. And security systems must be usable by non-technical ordinary people, because it will be used by ordinary people. An average person is not going to remember a 17-character-long password with uppercase, lowercase, numbers, hyphens, everything that changes every month. So when you’re building a security system you have to take into account the roles that humans will play when they are interacting with your secure system.
Angie Song: So. Oh, whoops. So just to recap, security is like a chain. You have to design security in from the start. Enforce zero trust. Never trust. Always verify. Enforce least privilege. Make sure you are thinking about psychological acceptability and human factors, because human factors and usability matter. And with these principles in mind I will now hand off this talk to Helen.
Helen Chen: Thank you. Thank you. Okay, so … Can you guys hear? Yeah. So with zero trust where we never trust and we always verify, it’s crucial that during the verification process we get a very strong assurance that the user’s identity is actually who she says she is, right? And so username and password alone oftentimes can’t give us that strong assurance. What would be ideal is if this user can present multiple different pieces of information to verify her identity. And that is what multi-factor authentication, or MFA for short, is all about.
Helen Chen: So, I log in by giving my username and password. Then I need to give a one-time password that I can get from my SMS message or from Okta Verify, that generates the code. And that is an excellent security practice because in case of compromised credentials your protected resources cannot be assessed by an attacker unless they also steal your second factor. So, it’s a great security practice but only if your human factors actually use it.
Helen Chen: In a 2017 survey only 28% of the participants reported that they use MFA. 2% percent reported that they don’t use it, but they used to use it. Now, over 50% of the participants said that they’ve never heard of MFA, which is why they don’t use it. But that means over 15% of your users have heard of MFA and are saying no to it. All right? So, well, it’s not a secure practice if people aren’t using it. Why?
Helen Chen: The problem is users can think of MFA as friction, right. I already gave you my username and password. What more do you want from me? This is really annoying. In fact, someone was so annoyed by the Apple’s MFA experience that he’s suing Apple over it. I am not kidding. So usability really matters, right? MFA is only going to be a good secure process if your human users use it. It needs to be usable. And if you look at his description of the MFA process from Apple you can tell that he … It doesn’t matter if this is actually the experience. He saw it this way. He found it not usable. So, we need to make sure when we design an MFA experience it needs to be smooth.
Helen Chen: Okay. Let’s say we took care of that. We have a really good MFA process and no one’s going to sue you over it and they like it. But you still have this problem that if you don’t have to factor you can’t use it. So let’s say your company enforces MFA and you have chosen to use Okta Verify as your second factor. So you go to work and you realize, “Oh, I left my phone at home. And now I can’t log in. I’m going to have to tell my managers [inaudible 00:42:57].” It’s okay. You can go home and get your phone.
Helen Chen: But what if you lost your phone, or it got stolen, or no, you didn’t lose your phone but you bought a new phone. But you already traded in your old phone? Now you can’t log in. You can’t even go in and reset your factor. You’re going to have to call your IT admin. That is the opposite of frictionless. And it’s costly for the company. So that is definitely a big problem with MFA.
Helen Chen: Now, people might say, “Look, if you had used SMS as a factor this last case of no longer having your phone is not going to be a problem because you can port your number to a new phone and you’re good to go.” Problem is SMS is actually not a very secure factor. It is susceptible to social engineering and SIM hijacking. An attacker can pretend to be you, call AT&T, and port your number to their phone. Now you’re pretty much hosed. But SMS is easy to use because you can see in the same survey, of all the people who use MFA, 86% use SMS as a factor.
Helen Chen: So here’s the problem with MFA, right. It is a good secure practice, but only if your human users use it, and that means it needs to be usable. But it can’t be so usable that it’s no longer secure. So we have to delicately balance usability and security with multi factor authentication. So, what are some ways we approach this problem here at Okta?
Helen Chen: So, first of all, MFA is better than no MFA, right? It’s still that extra step that you have to take to log in and to verify your identity. So, with that in mind, we do offer all the factors, even if they’re not all created equal, right. The idea is if you get your users used to MFA, even if it’s SMS, right, once they are used to this concept of MFA they are more likely to accept a more secure factor such as not just a authenticator app, but also a U2F key. And we do see promising data here.
Helen Chen: So this is from our businesses at work report, where we aggregate all the usage data of Okta customers. And we do see that for our customers who start off implementing less secure factors, like SMS, within three years over 70% of them have started implementing the more secure factors. So that’s good news, right? So start them off and then ease them in.
Helen Chen: And one other way we help with that easing in is we do have grace period of factor enrollment. So, again, we can slowly ease people into different types of factors, get them to adopt other forms and more secure forms. So you sign up for SMS, and your admin can set a policy that gets you to enroll in another factor. But you’re not forced to right away. Like your user can actually defer it, and when they’re ready they can … Like within the grace period they can sign up for like a U2F key or Okta Verify.
Helen Chen: And the other added benefit of a grace period in encouraging people in enrolling like not just one or two, but two or three factors, is you’re less likely to be locked out. If you got a new phone but you have your U2F key then you’re okay, because you can log in with your username, password, give the U2F key, and now that you’re logged in you can reset your factor and now install Okta Verify on your new phone. So no friction there.
Helen Chen: But one caveat is by having multiple factors, your weakest link will be your weakest factor. And also, having a grace period mean you also allow users to enroll in your factor when it’s a good time. Like for example, if I’m a student who needs to log in to turn in my assignment, which is due in one minute, and all of a sudden a popup comes up saying, “You need to enroll in a factor,” I am probably going to be a very unhappy student. So having a grace period will allow the student to log in, turn in homework, and then will prompt them again to sign up for a factor.
Helen Chen: But, let’s also think about the necessity of providing a second factor, right? What if there are certain situations where we deem it is less risky, and we can actually just be okay with username, password. It all depends on context. So, we do want to match the amount of authentication we have to do based on your risk profile. So let’s say you’re a known user, you’re logging in from a device that we’ve seen before. It’s in a location that … You know, because you’re at work it’s the same location. Everything looks checked out. Then maybe we are okay with just username, password, because it’s a low risk.
Helen Chen: But let’s say it is still you, it’s still on the same device, but it’s not a location like your work. Like maybe you went to a coffee shop to work or something. So it’s a new IP. And you’re also accessing, I didn’t mention this earlier, but before you were accessing like let’s say your email, 0365. But now you’re accessing like AWSS3 so it’s a little bit more sensitive app.
Helen Chen: So now we’re going to challenge you with Okta Verify with Push. Because it’s a slightly higher risk situation. But, this is possibly a sign that someone is actually trying to compromise your account, because there’s like a lot of login, a lot of repeated logins from a new device. All these signals are showing high risk. In that case we’re going to challenge you for two factors, right. Not just username, password. You got to do Okta Verify, and then you got to do your [YubiKey 00:48:26].
Helen Chen: So, that’s MFA in a nutshell, and also how we approach it. I hope the takeaway from my talk is you will all use MFA, even if it’s painful. But it definitely will protect your account. And with that, I’d like to pass it off to Jade.
Jade Feng: Thank you. Hey, good day. How are you guys going? I realize you guys have been sitting around listening to people talk. But hopefully this is something that might be interesting. So, good day. I’m Jade. I’m from the product management team at Okta. And my team actually owns end user experience. So all of you folk who put your hand up earlier, if you have complaints on the product or suggestions, like please come to us afterwards, but not really. I’m kidding. I’m kidding. I’m kidding.
Jade Feng: No, no. But to be real, we’re doing a lot of usability tests. So if you’d like to give out your feedback please come to me afterwards, or Maggie. And we’d love to chat to you.
Jade Feng: So, cool, cool, cool, cool, cool. Let’s talk about accessibility and this new hot topic on design or product that keeps going around. But like what is it? Like who knows what inclusive design is? Cool. So about 70% of you didn’t put your hand up. And that’s okay because I was in your shoes a year ago. So I would like kind of give a one-on-one on what accessibility is, why it matters, and things that you can take away today, after this 10-minute conversation, tomorrow. Or tonight if you’re feeling really ambitious.
Jade Feng: So, a bit about me. I’m Jade. Hi. I’m Australian, hence my strange accent. From Sydney specifically. And when I was in college I actually had no clue what I wanted to do as I guess most of us feel. So I tried all sorts of things from like investment banking to actuarial consulting to market to … Yeah, so on so forth. So I was like, “Oh, what’s this tech thing?” Mind you, I’m from Australia, okay? So the whole, the kind of like prevalence of tech was really not there. So I ended up starting a couple of startups. Not all of them were fabulously successful like Okta is. And I kind of realized that to build a really well-changing, like world-influential company, I have to come to the Valley.
Jade Feng: So I came out to San Francisco. I became a product manager for an API product in a consumer tech startup. And now I’ve been at Okta, and I love it. So if any of you are looking for product management careers we’re hiring. Please come talk to me afterwards. It’s awesome. Cool.
Jade Feng: So, let’s start with this. What do Beyonce and Harvard have in common? So, some suggestions out there. But they were both sued for non-accessibility compliance. Yeah. No way you guys were expecting were you? So, yeah. Yeah. So accessibility, not to stand on this kind of foot, but it’s really important for our businesses, right. So it’s not just about the sexy new design buzzword that’s going around. It’s really critical. It’s really critical for our customers and our users, and also for not getting sued. So let’s look at these three people. We’ve got Stephen Hawking with ALS, this nice-looking kid with a broken arm, and Naomi Watts walking out from Whole Foods with a month … Like maybe like two days worth of groceries.
Jade Feng: So out of these three, which one do you think has limited mobility? So who thinks it’s Stephen? Who thinks it’s the kid? Or who thinks it’s Naomi?
Speaker 9: It’s all.
Jade Feng: Or who thinks it’s all of … Brilliant. Awesome. I wish I had more prizes to go around. I’ll come up something later. So yeah, exactly. So like our relationship with disability is more deeper than just like, “Oh, she has a broken arm,” or, “Oh, you were in unfortunate circumstance.” All of us can benefit from the products that we use to think about these moments of need. So, the cool thing, if you guys take one thing away from this talk, is that the idea of disability is more deeper than just what we thought about on ramps or elevators. The idea of web accessibility is that people with disabilities, both permanent and temporary, can use the web equally.
Jade Feng: And when we actually think about it in terms of numbers, if you want to look at that: 15% of the world’s population has some form of disability. Now, think about your users. For 100 users, 100 users that you have, 15% of them, 15 of them, need you to think about this for them, right? To be successful with your product.
Jade Feng: So, why is it important if you have to show about numbers. Well, if you are in enterprise or government or governance or education-based industries, or financial as well actually, this is kind of critical for you to even be considered for those deals, or even be considered by your customers. And you’ll also [inaudible 00:54:18] for lowering your support cost, or in our case our customers’ support cost.
Jade Feng: It’s important for your brand image and doing the right thing as society and as people in our positions who are building products in service of other people. And of course, avoiding lawsuits. So to give you an idea of scale, there were over 8,000 lawsuits on ADA, accessibility compliance, just last year alone. And that has grown significantly year on year. So cool.
Jade Feng: So, again, the one thing, the really one thing about inclusive design that if you want to have a conversation or coffee with your colleague tomorrow, is that the idea is that everyone, everyone will have a better experience with thoughtful design, with thoughtful layout, and thoughtful consideration of other use case and users’ needs. That it’s not just about those with disabilities or those kind of circumstances.
Jade Feng: So, cool. But about those people, how do they currently like get around and use the products that you build today? So, if they have a visual disability they can use things like screen readers, which can be built into the device or purchased on top. Zoom capabilities to make the text more readable, or physical magnifiers. If they have hearing disabilities then they can use hearing aids or implants, or things like closed captions and subtitles. And people with mobility disabilities, then they can use things like track pads, special keyboards, hand-free interactions like things that track your eyes, or head and mouth pointers.
Jade Feng: But here’s the thing, right. Here’s the thing. These don’t just benefit people with disabilities. When’s the last time you’ve seen like, I don’t know, a news document that had really small fonts so you like zoomed up the page, right? When’s the last time that you were maybe watching Netflix at 4:00 a.m. in the morning and you didn’t want to annoy your roommates so you may have turned on the captions? I don’t know. Who does that? So yeah, closed captions as also like something that we all benefit from. Or things like who uses Slack at work and like uses all the little keyboard shortcuts and scrolls through to like quickly access and chat to your designer because you need help and don’t know where to go, so please help me. So you like try and like use keyboards or little shortcuts that you know to work faster.
Jade Feng: So, cool, cool, cool. So now we talked about why it matters and how it not just benefits people who need your help, but also the majority of your users. So then what are the standards? What does it actually even mean to be accessibly compliant? Like what does that mean, right? So the great thing is that there’s a lot of people who have kind of done that work for us actually. And around the world there are all these different laws which sometimes you have to practice, or like sell in these countries you need to think about these laws. But the great thing is that they’re all kind of based on the same guidelines, which is the Web Content Accessibility Guidelines or WCAG 2.0, upgraded from 1.0.
Jade Feng: And this was a set of guidelines built by the World Wide Web Consortium, which is a great breakdown on like what are the things that you need to think about. And the kind of like … And I’ll kind of talk through some of them later. But it’s a great framework to look through on like really basic things that kind of make sense to you once you read them.
Jade Feng: But the core pillars of them are around these four key principles on perceivable, operable, understandable, and robust. So, those are nice words. What does that mean? So perceivable means that it’s something that a user can see or listen, or listen on the product that you provide. Operable means that they can interact with it. So things like the keyboard shortcuts, things like being able to work with voiceovers and so on and so forth. Understandable. So, things like if they see it can they comprehend what the intent of this product is meant to do, right? And finally robust. So it has to be able to work with multiple devices and multiple platforms, right?
Jade Feng: So these are the core things that like when they think about these standards that we want to think about. And I think anyone who builds products or cares about delivering things for your users, the protocols are just general design principles of building good things, right? So, again, good accessibility is an extension of good user experience. It’s not a extra cost on top. It’s an extension of building the right thing and building good products.
Jade Feng: So, cool. Now what? Great, great, great, great, great. Inspire. Let’s do this. There are some things you can just take away from this. Like, one, if any of you are front end engineers, if you guys are using basic semantic website architecture, keep it up, great work. I know it also makes your life easier, so just keep it up. And the reason is because like this is kind of how things like voiceovers actually are able to like read your page, or read your product really quickly and hop through it.
Jade Feng: Other things which was new for me, actually, was think about using accessible colors and contrast. So there’s a thing when you think about the background color and the text color, there are a lot of great tools online which like help calculate the contrast ratio. And if someone who has other colorblindness, which is like 8% of the population, will make their life so much easier. And also just makes it more readable, right. Because not everyone’s screen is LED perfect. So, yeah. Which kind of on the same thread, try not to use color alone to make critical information understandable.
Jade Feng: So when you’re making spreadsheets, when you’re making charts, right, color alone is actually really hard. And I’ll kind of show you why. So here you can see someone, like the normal sign-in form and somewhere like, oh, you screwed up your password or something. Or your email. For someone who’s red-green colorblind, where do you even start there, right? So for the few things like text for error messages, or like dive-ins for the user to be able to figure out, oh, like this is where I should go fix it, don’t just depend on color to convey that message.
Jade Feng: And then on that thread of like just using color, like you can see between these two charts, if you’re colorblind it’s kind of really, really hard to do your budget there. So not exactly sure what’s going on. So, yeah. Another quick win is something like using alternative text for images and non-text content. And it’s easy. You just like add an area label or a tag to the HTML doc just saying, “This is a horse that eats hay.” Or, “This is my avocado toast.” And all that does is it get rid of our screen reader. But also people who are in places with low bandwidth, or if hypothetically I’m on the BART home and I’m in a place with low wifi and everything’s not swirling fast enough, the text gets released, which means that I can still see and interact with that content without needed the high connection.
Jade Feng: And things like typography. So even basic things like basing on serif and sans serif fonts really helps with people understanding legibility and the content, without having to think about it. And there’s no great guideline on font sizes, but just aim for like 16 pixels plus. It’s just a good framework to go. And lean towards leveraging line heights. It just helps with comprehendability and quick reading. So it will help you get your message across more clearly. And also design with focus [inaudible 01:03:06]. So when a user is tabbing through a product, like let them know where they’re tabbing. Let them know they’ve used a keyboard and how we can get them through. And make it keyboard navigable. So, yeah. Cool.
Jade Feng: So, again, building an accessible product really benefits everyone. And what can I do now about it? So there’s some really great, if you guys use Chrome, there’s some really great plugins that you can just like download really, really … well, for free really. And you can just like use that on your own websites, or the websites that you like to use. And just see how you go. And that’s kind of how I actually got started with my own journey with accessibility. Just seeing what’s out there, and seeing how are our products doing, and what could we do better. And going from there.
Jade Feng: So the journey, if there’s one thing I would like, one more thing to conclude, the journey towards accessibility is a journey, right. You’re not going to be compliant from day one. And even for us at Okta, it’s really hard. Like there’s things that we miss all the time, and there’s considerations that we learn along the way with our users. But the one thing is that if you’re mindful of it and you understand at least the problem, and you kind of consider it, at least, that’s one step along the way. And the rest of it will just follow. So, thank you. Hope you learned something from that. And I’d like to pass on to Sara.
Sara Daqiq: Thank you. [inaudible 01:04:51].
Sara Daqiq: Hi everyone. My name is Sara, and my last name is Daqiq, and I’m a developer support engineer in here in Okta. What that means is that if you’re a developer and you guys are using our API or any of our platform product, you guys have question [inaudible 01:05:10] and say, “Hey, Okta. I found out that you have a bug in your STK.” I’m like, “Oh, do we?” And then I look at it and see, “Okay. We have a bug in our STK.” And then I communicate it to our product manager, or vice versa. I’m from Afghanistan, hence my strange accent. I’m going to talk to you guys about what we do when we talk about identity, and how we securely transfer identity between platforms. That’s what Okta does, right? Most of you use Okta. When you log in through Okta there’s a chiclet. You click in that chiclet and it goes to whatever app that you want to go. So in the backend there is some communication that’s happening. That’s why we say, “Never built OAuth. We will build OAuth for you,” right? What that means? What do we do in the backend?
Sara Daqiq: And this is just one way of us doing it. There are other ways as well. But we are going to just cover one of those. So the problem that we are trying to solve is that in today’s increasingly SaaS space society, we need to transfer identity information or any information securely between sites. How do we do that? How do we transfer that data? And from UI perspective, how do you, when you click on a chiclet in your Okta dashboard, how does it go to a different app?
Sara Daqiq: So by the end of this talk I’m hoping that I can convey what an OAuth is, what is an OIDC, and what is JWT. You will know hopefully by the end of this talk. So, around 2007–this is Yelp. Yelp is trying to get you to get to your friends. They want your friends to convince your friends to sign up with Yelp. And they’re asking you for your email address and explicitly for your Gmail password. What could go wrong with that? Can you guys guess? Right? Yeah. So I guess everybody got that.
Sara Daqiq: So they were asking … The problem with this is some of the problem that I can, just off the top of my head, is that they can even revoke your access by just changing your password. Year can store your password in plain text, and you cannot revoke their access unless you change your password.
Sara Daqiq: So people came up with different solution, different ideas. Different companies had their own solution. And then at the end they … So fast forward to OAuth1. OAuth1 we don’t care about it because we are not using it anymore. So what is OAuth2, right? OAuth2 is transfer dependent, and like OAuth1 it’s much easier to work with. And it supports native app. Who can tell me how many apps were in App Store around 2007? Zero. Because smartphone came out around 2007 and for a while they had their own apps only in the App Store. So there was a new problem to solve and that was native applications, right?
Sara Daqiq: And so OAuth2 stuff solved all of it. The cool thing about OAuth2 is … Hmm. I fixed this font. I don’t know why it didn’t get fixed. So the cool thing about the OAuth2 is that it’s transfer dependent. That means that it relies unto https to securely exchange data. And it’s good as a foundation. So on top of that you can use JWT or JSON web token. On top of that you can use OpenID Connect or an identity layer on top of OAuth. And on top of that you can use native applications. Please excuse my formatting here. Okay.
Sara Daqiq: So, let’s look at what that means, right. So let’s, in real scenario I’m a hotel manager. I delegate access to a handyman who can get an access key from the hotel receptionist to go clean the house, or my hotel room. So how does it look in an app form is that I’m a user. I delegate access to Yelp so Yelp can go get my token or information, my key, from Google, so Yelp can change content in my Google calendar. So imagine I’m subscribing to an event. Yelp can now create an event or block an event in my Google calendar.
Sara Daqiq: So in the UI it looks like this. You guys have always seen this right? Sign up with Google. Sign up with Facebook. When you click on that it’s basic, what you are saying is that I trust Gmail. Gmail has my data. And I want Gmail to send my data that he has to Yelp in this scenario. Okay, so what happens in the backend when you click on connect with Google, or sign up with Google, right. Let’s say in this scenario we’re asking this Google to just give us the profile information and the contact information of a person. You can limit it to however much you want. However access you want for a person, right? Either read or write or whatever.
Sara Daqiq: And then it redirects you to a Google page. Google says, “Okay. Put your username and password so I know you’re the right person.” And Google says, “Okay. Are you …” When you put your username and password Google is going to ask you, “Are you sure to give your data to Yelp?” And I’m going to say yes. And then it gives me a key. And then I can use that key to go to Google and get the contacts from that Google, the Google profile, right. Or Google API.
Sara Daqiq: So the key is given in this scenario. So it’s basically a redirect URL, so when you’re trying to code it it’s just a redirect URL that you need to configure. And you will have a Google URL. You will have a client ID which is an app ID in Google. You will have a redirect URL. That means that when you get the key or the token where do you want to send? Where does Google want to send that information? And then you will have the scope. You can limit it. You can say, “Okay, this person can have read scope. That person can have write scope only.” And then you’re going to say response type. Do you want just the token? Do you want ID token? Things like that.
Sara Daqiq: So before we see what the response to this will look like we need to know what JWT is. Because the response to this is going to be in a JWT or JSON web token. And [inaudible 01:11:40]. So what is JWT? JWT is just a JSON object. It’s digitally signed and it can be encrypted. So the format looks like this. There is a header and then you have the payload, which gives you the data information that you have. And then there is a signature.
Sara Daqiq: Okay. So there is a header, payload, then signature. There is supposed to be an encrypted string here. Okay. So when you decrypt that string though, this looks like this. You have the user information and you have the key and just a JSON object, right? In reality it’s like your ID or a driver license. You have the name, you have the expiration, you have the header and the signature that proves that you are the right person. So that’s JSON object, right.
Sara Daqiq: The token life is [inaudible 01:12:42] cable. So, just so I am clear, if you go here this is the response to that URL that we created earlier, the URL that we created with the redirect and everything, right? So it’s just an ID token in form of … Or an ID in form of tokens.
Sara Daqiq: The cool thing about this token is that you can revoke it anytime. If you don’t like it, tomorrow you change your mind about giving somebody access, you can revoke it. You can extend it if you like. We can extend our token unlimited time. And you can separate the rows. So you can do read access, you can do write access, or all access if you would like.
Sara Daqiq: So answer to our question is, what is OAuth? OAuth is how you delegate authentication to another site. What is OIDC? OIDC is information about the person that you get. So it’s the identity layer on top of OAuth. And then JWT is just the way that the two formats communicates. It’s a JSON object which is encrypted.
Sara Daqiq: These are the information that you can learn more about, about these authentication methods. And we are also hiring in my team. My manager’s promising a lot of money for referrals. So please do me a favor and talk to me so I can refer you guys. All right. Thanks.
Mindy Lieberman: So I want to thank all our speakers. Were they not fantastic? Yay! And come on up here for Q&A. Okay. We’ve got one right here.
Maggie Law: Jade might be outside.
Mindy Lieberman: Like this. Okay.
Speaker 11: So, kind of as like security experts, OAuth experts, all of that, I wanted to ask for advice. I find myself trying to kind of try to balance these days between having a set of passwords that I know and can remember and follow a pattern that I can keep track of, versus just kind of delegating everything to password managers. Both scenarios make me feel vaguely uncomfortable and seem vaguely insecure. So like what’s your advice, just as consumers for balancing those security-like approaches, or any other suggestions you have.
Mindy Lieberman: Who wants in? Oh.
Jade Feng: Yeah. Absolutely relate. Like totally relate. There’s a few things on the thread of password managers that there’s some password managers which have some protections built in that help protect your data from even getting breached in the first place. So like one passwords for example where they allow a device level … What’s it called? Zero. Not zero trust. Awkward. Sorry. Look at the password managers that you use, and what are their security policies. And how like [inaudible 01:16:08] all white papers out there can talk about that. But this will only solve your problem of like how do you manage it. I can say that all of us kind of have our own patterns. And there’s a lot of suggestions online on how you can do that. The iterations of like tier mentally, like the kind of accounts that you have and kind of use and customize the password according to that and things that you can remember. Something else is about how we think about it at Okta is that we’re actually trying to move away from passwords, right. Our vision for user experience and security is like passwords, again–It’s something that you know, and something that someone can steal. So we’re trying to find solutions in the market and in the product to like help you and also other companies be able to find better ways to authenticate you and move away from that altogether.
Angie Song: I’m just going to add to that, if you’re particularly concerned about your own security, there’s this website called haveibeenpwned.com. It’s by a security researcher called Troy Hunt. So you can subscribe for alerts there and see if any of your accounts have been compromised. So, first of all you should not be reusing your passwords. But it’s a good idea to subscribe to, I would suggest in case like one of your accounts become compromised then you can just go ahead and change the password.
Jade Feng: Sorry. The thing I was talking about, check out something called Trust No One. That’s a thing that a lot of password managers like follow, which is the idea that if they even get broken into your passwords will be safe. So at that point, yeah. So that won’t be compromised.
Helen Chen: I mean, just to go back kind of what we present. Remember like the weakest link, right. So if you choose your password manager, don’t just choose any of them. Make sure you research them, right? Because that is going to be your weakest link. If they have something that is … If you have a password manager solution that is device specific … Because anything that goes to a Cloud, that is your weakest link, right? So I know my husband has like his password on like his own USB key that is also requires like encryption to get in. Like that’s going to be safe. I mean, you better not lose that key, but that’s safe. But also, because I’m an MFA girl, have MFA, right? Seriously, have MFA. Let’s say you’re lazy and you just use the same password for certain things, and it got hacked. But you feel better if it’s like your banking account and you have MFA on it. You should be good to go. So use MFA.
Mindy Lieberman: Okay. One more in the front.
Speaker 12: So, I’m not a huge fan of MFA because we have so many devices that are linked to the phones, to the iPads, to the Apple computers. I’ve lost my phone but still been able to use my devices because I’m receiving all my messages on my phone or my iPad. So my question is is like, even though I’m using MFA and I can receive texts, are you using any kind of AI or machine learning to detect security penetrations once you’re already in whatever system you’re logged into?
Jade Feng: I feel like that’s a roadmap conversation. Yes. Absolutely. So something that we’ve been … Developed from the perspective of Okta or is it something like the industry in general? Because I think I’m … Okay. So there’s a lot of things all companies can do, which is like device-based trust. So there’s things about the device sort of ID or characteristics on where you’re logging in, the device you’re logging in, what is the behavior logging in, that can like determine whether or not you should even get prompted for MFA. And also something about MFA is that it’s not the push side of things or tech side of things. Only one way in which you can MFA. There’s other things like a YubiKey, which is this token-based device that is also becoming a lot more popular, where if you have this thing plugged into your computer, seamless, you don’t even notice it. It just knows that it’s you. Or things like biometrics, right. So on your phone, Touch ID, exactly, Face ID. That’s enough. That’s all we need to be able to verify that it’s you. And that’s kind of what Maggie was saying about the layers of verification. We just want to know that it’s definitely you, and not just someone who stole your password from a Post-it note you left on the door. So yeah.
Mindy Lieberman: One more.
Speaker 12: Thank you.
Mindy Lieberman: Okay.
Speaker 13: One thing about accessibility that occurs to me is we think about how to make sure a differently-abled person can use a website, but as regards security. Have people thought about how to help a differently-abled person prevent being scammed, prevent being like when they open an email maybe the email is reading them the URL. Like, “Oh, your account’s compromised. Click here.” Is that something that’s been thought about for accessibility issues?
Jade Feng: I want Maggie to answer that. As I’ll be [inaudible 01:21:29].
Maggie Law: Thanks for the promotion. I actually, I haven’t really explored that topic. It’s an interesting one to think that there might be some way to spoof that maybe from a screen reader’s perspective there’s a different message than the one that you see. So, yeah, it sounds like a fascinating topic. It sounds like it’s absolutely something worth looking into. Thank you for raising it. I have nothing of substance to add, except that that’s a really-
Speaker 13: It’s one more thing to think [crosstalk 01:22:06]-
Maggie Law: Yeah. It’s one more thing. And it’s actually … I mean, it kind of underscores the sort of black swan problem, which is like you have to constantly be trying to think of things that never occurred to us. What are the things that we haven’t yet anticipated. It’s an impossible thing to do but we can’t stop doing that, so thank you for asking the question.
Mindy Lieberman: Last question.
Speaker 14: So, I have a question, but before I ask the question I wanted to say that I really … This is my first Girl Geek dinner, and I really appreciated the fact that you guys told your personal stories before you told the rest of the story. But the question that I had is, I did a very short project on disability adaption and … Adoption. And one of the things that we had to go through was make sure that it passed the test. Like there was a third-party vendor that kind of did the test. So did Okta also do the test, and like … Oh yeah. Is that like a standard that’s set? I mean, at the time when I was doing the project I wasn’t sure of it, but is that like a worldwide standard or is it like a U.S. standard?
Mindy Lieberman: Do you want to answer that? [inaudible 01:23:21]. Thanks.
Jade Feng: So, there are … You know the slide with all the full flags on the screen? So, a lot of countries have different standards around ADA. But they’re all kind of based on these core standard, which is called WCAG, Web Content Accessibility Guidelines, which if you just Google, it comes up with this PDF document. So those are the standards that have been set by the World Wide Web Consortium, which just comes up with like best practices on what you should do. So when things about accessibility and how we build into it, also answering your question earlier around security versus accessibility. Yup. There’s no good answer. But I think what we try and do is that we actually … I mean, because we’re a bit bigger and we’re a security company, we do have a security team. So we work with the security team to estimate like some of these things, like if … I’ll give you an example. So there’s a feature that we’ve released called Show Password Toggle, which like shows the password. Shocking. So like if the user entered their password you can fat finger, right? And then you like, with this button you would be able to see it briefly.
Jade Feng: And this went through a very quick security review. And kind of what the balance between security and usability is is that there’s like a seesaw. Because the risk of someone … Like where do most compromises come from? It’s actually from like when someone like hacks you from a different account, and then like uses it on your work email because they found they found out your email through like LinkedIn, right? And then like uses that to try and penetrate you. So it’s not really like people like watching you over your shoulder or while you’re like typing in your password at work.
Jade Feng: So at that point, like that’s kind of what you can do. Like think about what is really the biggest point of risk in my product. What’s the biggest point of risk for compromising my data, my users. And think of like how much of this particular feature really solves for that, if at all. And in that case, it’s more of a usability benefit that a lot of our people can make their lives a little bit easier.
Mindy Lieberman: And with that thanks to Girl Geek X. This is our Okta-style version of Girl Geek X dinner. Thank you so much for joining us tonight. And let the mingling begin.
Pictured: Jade Feng (Product Manager), Angie Song (Staff Software Engineer), Helen Chen (Software Engineer), Mindy Lieberman (Vice President), Sara Daqiq (Developer Support Engineer) and Maggie Law (Director, Product Design) at Okta Girl Geek Dinner 2019. Check out photos from the event here.