Push authentication is one of the most secure and easy to use forms of user authentication. When a company issues an authentication challenge, the user only has to tap allow or deny when they receive the push notification on their phone—much easier than typing in a one-time password (OTP).
Using push authentication means a company can also add useful context about the authentication event. Think of things like payments: instead of just sending a code, the authentication request can include information about the payment like the amount and recipient. Even better, because it's one of the few forms of authentication that lets the user deny an authentication attempt, companies can take advantage of that information to identify real time phishing attacks or other malicious activity.
Push authentication also uses public key cryptography under the hood to link a single device (like a user's phone) to their identity. That makes it …
Twilio Verify offers built in rate limits to help protect your business and its customers from account takeover and toll fraud attacks to your verification flows. This is helpful once you're in production, but can be frustrating during development and testing.
Unfortunately, we do not offer a free testing sandbox since we have to pay underlying carrier fees for every message sent on our platform and Twilio's test credentials are not compatible with the Verify API.
You still need to test your project though, so this guide will cover:
- Common issues like rate limits and expired verifications
- Best practices for verification testing
- How to quickly spin up a testing interface during development
Common Verify API errors during testing
Error 60203: Max send attempts reached
For more details, check out the official Twilio docs for Error 60203.
The API triggers this rate limit after starting 5 verification attempts to the …
The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) when a payer:
- Initiates an electronic payment over €30*
- Accesses their payment account online
- Does any other remote action "which may imply a risk of payment fraud or other abuses"
This applies to:
- Business and/or customers in the European Economic Area
- Online/debit or credit card-not-present transactions
Originally the deadline was September 2019, but that's been extended until 31 December 2020 (the SCA deadline in the UK is now 14 September 2021).
There are three ways to use Twilio to implement SCA for transactions in your application:
- Verify SMS One-Time Passcodes (OTP)
- Push authentication
- Transactional TOTP
This post will give an overview of each method and provide resources to get started.
*exempted payments include:
- Low risk transactions (based on provider's fraud rates)
- Recurring payments (fixed or variable "merchant initiated")
- Over the phone payments
SCA requirements for card-not-present transactions
TOTP, or Time-based One-time Passwords, is a way to generate short lived authentication tokens commonly used for two-factor authentication (2FA). The algorithm for TOTP is defined in RFC 6238, which means that the open standard can be implemented in a compatible way in multiple applications. You might be familiar with TOTP from apps like Authy or Google Authenticator, but there are a lot of other options including Duo and Microsoft Authenticator.
Getting users to enable 2FA is half the battle of improving account security, so I recommend giving your customers flexibility over which authenticator app they use.
The Authy API (connected to, but different than the Authy App) defaults to enrolling the user in the Authy App but this post will show you how to use the API in a way that lets your customers use the authenticator app of their choice.
Did you know? TOTP is an …
Call center security is a known weak spot for many companies. That's because most call centers only identify and do not actually authenticate users when they call.
Identity information is usually static data like a phone number or date of birth -- things that a lot of people know about me and you. Identity information is often easy to find or purchase and probably doesn't change. With a little bit of research, hackers can use social engineering to bypass common knowledge-based "verification" based on a user's identity. Authentication is how to prove identity with a factor that could be something you know like a password, something you have like a key, or something you are like a fingerprint.
Options for actually authenticating users contacting your support system include sending one-time passcodes (OTPs) to a user via SMS or email, callbacks, security PINs, verbal passcodes, voice recognition, and more. For more …
Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?
A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.
This sentiment reflects something the security researcher Cormac Herley wrote about a decade …
As companies firm up their website authentication with increased security like two-factor authentication, attackers are flocking to less secure channels like call centers to impersonate their victims and gain access to their accounts. Account takeover (ATO) like this is growing at a staggering rate, up 72% in 2019 according to the 2020 Javelin Identity Fraud Study, "due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information". As businesses move more of their operations away from in-person stores in the wake of COVID-19, call center security is more important than ever.
While ATO is possible on your website, over half of financial services companies said call centers were the primary attack channel for ATO. That's because call center agents are fallible to social engineering, a form of hacking that uses psychological manipulation to bypass security measures guarded by humans. …
As we dutifully practice social distancing, live video conferencing is increasingly popular. From company meetings to yoga classes and magic shows, traditional in person events are going virtual. But while technology connects us, it also comes with privacy and security risks.
This post will show you how to add one-time passcode authentication on top of your Twilio Video application to ensure that only registered users are able to access the conference.
While passwords may help protect against war dialing, they don't guarantee that the people joining the video conference should be allowed to participate. A lot of people are still widely sharing Zoom meeting IDs and passwords.
One-time passcode authentication is useful for gating:
- Paid content like workout classes, political fundraisers, or live dating shows.
- Sensitive content with an access control list (ACL)
This tutorial will walk you through adding Twilio Verify SMS verification to …
You can protect your conference call with a static passcode, and while that offers more security than nothing at all, passcodes can be guessed or leaked -- especially if they're reused over time. You can also verify the caller ID of the person calling in, but spoofing phone numbers is still easy and prevalent.
One time passcodes (OTP) offer additional security by ensuring that a user has access to the phone and number they claim to own. By sending an OTP to the user's number or email you can have confidence the person joining your call is who they say they are.
The code in this post will secure your conference line in two ways:
- Check that the person calling is a known participant
- Prevent anyone from spoofing a phone number in order to join the call with an OTP
Follow the tutorial below or check out the completed …
Stripe and Twilio have teamed up to build a sample application that shows you how to securely collect and store payment details from your customers and use Twilio Verify to send returning customers an authentication code before charging their saved card details.
Demo and resources
Running the sample on your local machine
Creating the sample with the Stripe CLI
The most convenient way to set up a Stripe …