Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?
A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.
This sentiment reflects something the security researcher Cormac Herley wrote about a decade …
As companies firm up their website authentication with increased security like two-factor authentication, attackers are flocking to less secure channels like call centers to impersonate their victims and gain access to their accounts. Account takeover (ATO) like this is growing at a staggering rate, up 72% in 2019 according to the 2020 Javelin Identity Fraud Study, "due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information". As businesses move more of their operations away from in-person stores in the wake of COVID-19, call center security is more important than ever.
While ATO is possible on your website, over half of financial services companies said call centers were the primary attack channel for ATO. That's because call center agents are fallible to social engineering, a form of hacking that uses psychological manipulation to bypass security measures guarded by humans. …
As we dutifully practice social distancing, live video conferencing is increasingly popular. From company meetings to yoga classes and magic shows, traditional in person events are going virtual. But while technology connects us, it also comes with privacy and security risks.
This post will show you how to add one-time passcode authentication on top of your Twilio Video application to ensure that only registered users are able to access the conference.
While passwords may help protect against war dialing, they don't guarantee that the people joining the video conference should be allowed to participate. A lot of people are still widely sharing Zoom meeting IDs and passwords.
One-time passcode authentication is useful for gating:
- Paid content like workout classes, political fundraisers, or live dating shows.
- Sensitive content with an access control list (ACL)
This tutorial will walk you through adding Twilio Verify SMS verification to …
You can protect your conference call with a static passcode, and while that offers more security than nothing at all, passcodes can be guessed or leaked -- especially if they're reused over time. You can also verify the caller ID of the person calling in, but spoofing phone numbers is still easy and prevalent.
One time passcodes (OTP) offer additional security by ensuring that a user has access to the phone and number they claim to own. By sending an OTP to the user's number or email you can have confidence the person joining your call is who they say they are.
The code in this post will secure your conference line in two ways:
- Check that the person calling is a known participant
- Prevent anyone from spoofing a phone number in order to join the call with an OTP
Follow the tutorial below or check out the completed …
Stripe and Twilio have teamed up to build a sample application that shows you how to securely collect and store payment details from your customers and use Twilio Verify to send returning customers an authentication code before charging their saved card details.
Demo and resources
Running the sample on your local machine
Creating the sample with the Stripe CLI
The most convenient way to set up a Stripe …
If you're planning on sending mass text notifications you'll want to make sure that the numbers you're sending to are valid. This post will quickly show how to use the Twilio Lookup API to sanitize your data, checking that:
- Phone numbers are real
- Phone numbers are formatted correctly
- Phone numbers are mobile
Validating and sanitizing phone numbers will mean fewer API errors for sending to non-existent, incorrectly formatted, or landline numbers, giving you greater confidence in your system.
Twilio.org is offering a $500 kickstart credit and additional product discounts for apps that offer public benefits during the COVID-19 crisis. Learn more: https://ahoy.twilio.com/covid19-contact.
Prerequisites for sanitizing phone numbers
- A Twilio account. Get an extra $10 when you upgrade using this link.
- The Twilio Python helper library. Follow instructions to install it here.
Like everything in security, whether or not it’s safe to use email as a delivery channel for two-factor authentication (2FA) will depend on who your users are and what you're trying to protect.
That said, email based 2FA is usually going to protect your users more than it is going to hurt them, especially if it's offered as an option alongside more secure channels like TOTP. Much like SMS based 2FA, which can protect 96% of bulk phishing attacks and 76% of targeted attacks, any 2FA is going to be better than no 2FA at all.
A quick note: email verification vs. 2FA
This post addresses the tradeoffs of ongoing login verification using email two-factor authentication. Verifying a user's email address the first time they provide it is a best practice to reduce fraud, ensure deliverability, and maintain a good sending reputation.
Services like Chase bank offer email …
How did you spend your weekend? When I wasn't feeding my sourdough starter, I spent at least 4 hours playing Animal Crossing: New Horizons and doing chores for my raccoon landlord. For those unacquainted with the game: Animal Crossing is a social game where you build a town on a deserted island full of friendly animals, fruit trees, and homemade furniture. Once you set up your town, other players can visit you, bring you gifts, and help you weed your garden.
Unfortunately in-game communication can be tough: there's no in-game voice chat and saying something specific is a hunt-and-peck nightmare with the Switch keyboard. Video chat seemed like overkill since we'd all be looking at our screens anyway.
Luckily, we …
Security is at the top of everyone’s mind and phone verification is a simple way to secure your application and help prevent bot accounts. Sending a one-time password to a user's phone to validate they have possession is a common security tool used when people sign up for a product or give you their phone number for the first time.
Confidence in your users’ phone numbers decreases fraud and increases reliability of notifications. Let’s take a look at how to verify phone numbers from a web application using Twilio's serverless functions and the Twilio Verify API.
Prerequisites to adding Twilio Verify to your application
To code along with this post, you’ll need:
Some bad actors use phone numbers from free online providers to create fake profiles to scam or spam. Twilio's Lookup API helps you identify the carrier behind the phone number to learn which users have real mobile numbers. And you can use it with the new Twilio CLI!
Lookup a carrier with the Twilio CLI
To lookup a phone number with the Twilio CLI you will need:
You can query the Twilio Lookup API for information about a phone number. There are two
Types of requests the API can perform:
- Carrier - includes line type (i.e. mobile, landline, voip) and telecom provider (i.e. Verizon, Level 3 Communications, Twilio)
- Caller name - includes caller identification information when available …