Account security is difficult. Make the requirements too onerous, and no one will adopt your solution; make it too simple, and fraudsters will surely be able to circumvent any protection you provide. In this post, we’ll discuss how to use the Authy product to provide solutions for both regular and high-value users using features present in the Authy product suite. Before we outline that approach, it is best to understand how the current Authy user model and multi-device feature both work.
Authy User Model
There is a one to one correlation between a user’s phone number and their Authy ID. The user’s Authy ID is created or provided when you register the user with your service’s workflow. This Authy ID is core to how the Authy API interacts with end-users.
If you’re initiating two-factor authentication (2FA) via any of Authy’s authentication channels, the Authy ID is the only piece …
Twilio helps a variety of customers in combating fraud. From banks to dating apps, customer use-cases and approaches to addressing fraud can vary, but there are certain best practices that are almost universal. Below are a few of the suggestions we make when engaging with customers.
Number Format Standardization
There are a number of ways phone numbers can be formatted. But in order to ensure that each device has a globally unique number, you’ll want to save them in a format referred to as E.164. You can check if the number is valid as well as correctly formatted with the basic Lookup API call. This basic Lookup API is a simple wrapper around the world-renowned libphonenumber library.
Using basic Lookup is a free, programmatic way to prevent obviously fake and invalid numbers from signing up to your service.
FreeRADIUS is the most widely deployed RADIUS server in the world, supplying many Fortune 500 companies and Tier 1 ISPs with the means for world class authentication. With more than 50,000 sites and over 100 million people using FreeRadius to access the internet, that’s a lot of authenticating.
Twilio has recently developed a solution which extends the FreeRADIUS tooling to request a second-factor when authenticating via push-notification or a TOTP (time-based one-time password) token generated on a user’s phone. This solution works with both OpenVPN and Cisco AnyConnect VPN.
Choose your 2FA Flavor
We designed the Twilio / FreeRADIUS integration to work in one of four ways. Our TOTP solution works with Authy SoftToken, our most popular, user facing 2FA app. If you choose to offer a push-notification technology, you’ll be working with our Authy OneTouch product. Below you’ll find outlines and flow diagrams of these approaches. And you …
While we may not admit to ever uttering the cliched phrase “teamwork makes the dream work,” we absolutely believe in the power of teams. That’s why Twilio has made it simple to configure and manage the team you have assigned to access your Twilio Console.
For purposes of this post, we’re focusing on account setup and user management in relation to Twilio’s Authy two-factor authentication (2FA) solution, but the processes outlined below apply to all users of the Twilio Console regardless of the integration you’re working with.
If this is your first time setting up a Twilio account, you’ll have to enable 2FA in order to create an Authy app. View our blog article about “Securing your Twilio Account With 2FA” for step-by-step instructions.
The Single-User Tenant is the most common user-type on the Twilio platform. In this scenario, the user act as the account administrator, …
Twilio customers have several options for using devices to authenticate users. Here’s how to onboard your users with our best known solution, Authy two-factor authentication (2FA).
When users enable Authy 2FA, your app will need to register them. This is done via a REST API call in which Authy returns a unique AuthyID based on a country code and phone number. Stored alongside the user data model in your database, all future 2FA requests will use this AuthyID to initiate a second factor for authentication.
- User enables 2FA by providing phone number, country code and email address
- Your application backend calls Authy API with your Authy API key
- Authy returns unique AuthyID
- Store this value in your database with the user account information.
To confirm a successful registration, require users to authenticate with a second factor. Here’s one way:
- Request an SMS or Voice 2FA to be sent …
When first discussing Authy with potential customers, one of my favorite points of discussion is how easy it is to add our product to a pre-existing infrastructure. Typically we see engineering teams adding Authy within a couple of days (or a few story points if Agile). Aside from the ease-of-implementation, having a second-factor platform that can 1) deliver globally and 2) scale immensely is a great boon for startups and multinationals alike.
While I can talk about the ease of implementation all day long, it is honestly a bit simpler to demonstrate it. If you’d rather just check out the code, you can clone our very simple Authy 2FA and Phone Verification app available on Github.
Authy Dashboard Registration
Before using Authy, you will need to register with Twilio and get an Authy API key from the Authy dashboard. As part of the dashboard setup process, you’ll need to …