Level up your Twilio API skills in TwilioQuest, an educational game for Mac, Windows, and Linux. Download Now
Build the future of communications.
Start building for free
  • By Kelley Robinson
    How to incentivize users to enable 2FA 2fa incentives header

    Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?

    A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.

    This sentiment reflects something the security researcher Cormac Herley wrote about a decade …

    Read More
  • By Kelley Robinson
    Best practices to secure inbound calls to your contact center Best practices to secure your contact center header

    As companies firm up their website authentication with increased security like two-factor authentication, attackers are flocking to less secure channels like call centers to impersonate their victims and gain access to their accounts. Account takeover (ATO) like this is growing at a staggering rate, up 72% in 2019 according to the 2020 Javelin Identity Fraud Study, "due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information". As businesses move more of their operations away from in-person stores in the wake of COVID-19, call center security is more important than ever.

    While ATO is possible on your website, over half of financial services companies said call centers were the primary attack channel for ATO. That's because call center agents are fallible to social engineering, a form of hacking that uses psychological manipulation to bypass security measures guarded by humans. …

    Read More
  • By Kelley Robinson
    Secure your video conference with one-time passcodes How to protect your video conference with one-time passcodes

    As we dutifully practice social distancing, live video conferencing is increasingly popular. From company meetings to yoga classes and magic shows, traditional in person events are going virtual. But while technology connects us, it also comes with privacy and security risks.

    This post will show you how to add one-time passcode authentication on top of your Twilio Video application to ensure that only registered users are able to access the conference.

    While passwords may help protect against war dialing, they don't guarantee that the people joining the video conference should be allowed to participate. A lot of people are still widely sharing Zoom meeting IDs and passwords.

    One-time passcode authentication is useful for gating:

    • Paid content like workout classes, political fundraisers, or live dating shows.
    • Sensitive content with an access control list (ACL)

    This tutorial will walk you through adding Twilio Verify SMS verification to …

    Read More
  • By Kelley Robinson
    How to build a one-time passcode protected conference line with Twilio Verify and Python Header protected conference line

    You can protect your conference call with a static passcode, and while that offers more security than nothing at all, passcodes can be guessed or leaked -- especially if they're reused over time. You can also verify the caller ID of the person calling in, but spoofing phone numbers is still easy and prevalent.

    One time passcodes (OTP) offer additional security by ensuring that a user has access to the phone and number they claim to own. By sending an OTP to the user's number or email you can have confidence the person joining your call is who they say they are.

    The code in this post will secure your conference line in two ways:

    1. Check that the person calling is a known participant
    2. Prevent anyone from spoofing a phone number in order to join the call with an OTP

    Follow the tutorial below or check out the completed …

    Read More
  • By Kelley Robinson
    Build fast checkout with SMS verification using Stripe and Twilio stripe fast checkout

    Stripe and Twilio have teamed up to build a sample application that shows you how to securely collect and store payment details from your customers and use Twilio Verify to send returning customers an authentication code before charging their saved card details.

    Demo and resources

    If you prefer to watch this tutorial, you can find a recording of how to set up the sample application on the Stripe Developers YouTube channel:

    Youtube video recording of a code walkthrough

    Running the sample on your local machine

    The sample application comes with two backend implementations one in JavaScript (Node) and one in Python (Flask). In this tutorial we outline how to set up the Node.js backend. You can find instructions for running the Python Flask server here.

    Creating the sample with the Stripe CLI

    The most convenient way to set up a Stripe …

    Read More
  • By Kelley Robinson
    How to sanitize phone numbers before sending mass alerts Sanitize phone numbers header image

    If you're planning on sending mass text notifications you'll want to make sure that the numbers you're sending to are valid. This post will quickly show how to use the Twilio Lookup API to sanitize your data, checking that:

    • Phone numbers are real
    • Phone numbers are formatted correctly
    • Phone numbers are mobile

    Validating and sanitizing phone numbers will mean fewer API errors for sending to non-existent, incorrectly formatted, or landline numbers, giving you greater confidence in your system.

    Twilio.org is offering a $500 kickstart credit and additional product discounts for apps that offer public benefits during the COVID-19 crisis. Learn more: https://ahoy.twilio.com/covid19-contact.

    Prerequisites for sanitizing phone numbers

    The Lookup API does not support bulk requests. If you anticipate a high volume of requests, please contact …

    Read More
  • By Kelley Robinson
    Is email based 2FA a good idea? email blog header

    Like everything in security, whether or not it’s safe to use email as a delivery channel for two-factor authentication (2FA) will depend on who your users are and what you're trying to protect.

    That said, email based 2FA is usually going to protect your users more than it is going to hurt them, especially if it's offered as an option alongside more secure channels like TOTP. Much like SMS based 2FA, which can protect 96% of bulk phishing attacks and 76% of targeted attacks, any 2FA is going to be better than no 2FA at all.

    A quick note: email verification vs. 2FA

    This post addresses the tradeoffs of ongoing login verification using email two-factor authentication. Verifying a user's email address the first time they provide it is a best practice to reduce fraud, ensure deliverability, and maintain a good sending reputation.

    Chase bank offers SMS and email based 2FA

    Services like Chase bank offer email …

    Read More
  • By Kelley Robinson
    Build an Animal Crossing party line in 5 minutes Header Animal Crossing Party Line

    How did you spend your weekend? When I wasn't feeding my sourdough starter, I spent at least 4 hours playing Animal Crossing: New Horizons and doing chores for my raccoon landlord. For those unacquainted with the game: Animal Crossing is a social game where you build a town on a deserted island full of friendly animals, fruit trees, and homemade furniture. Once you set up your town, other players can visit you, bring you gifts, and help you weed your garden.

    On Sunday, my coworker Christine invited me and our coworker Megan to an Animal Crossing party. We exchanged Switch Friend codes and set up a time to play.

    Unfortunately in-game communication can be tough: there's no in-game voice chat and saying something specific is a hunt-and-peck nightmare with the Switch keyboard. Video chat seemed like overkill since we'd all be looking at our screens anyway.

    Luckily, we …

    Read More
  • By Kelley Robinson
    Serverless Phone Verification with Twilio Verify and Twilio Functions Serverless Verify

    Updated June 2020 - this project now uses the Twilio Serverless Toolkit and the Functions API.

    Security is at the top of everyone’s mind and phone verification is a simple way to secure your application and help prevent bot accounts. Sending a one-time password to a user's phone to validate they have possession is a common security tool used when people sign up for a product or give you their phone number for the first time.

    Confidence in your users’ phone numbers decreases fraud and increases reliability of notifications. Let’s take a look at how to verify phone numbers from a web application using Twilio's serverless functions and the Twilio Verify API.

    Quick links:

    Prerequisites to adding Twilio Verify to your application

    To code along with this post, you’ll need:

    Read More
  • By Kelley Robinson
    How to Lookup a phone number with the Twilio CLI Lookup a phone number with the Twilio CLI

    Some bad actors use phone numbers from free online providers to create fake profiles to scam or spam. Twilio's Lookup API helps you identify the carrier behind the phone number to learn which users have real mobile numbers. And you can use it with the new Twilio CLI!

    Lookup a carrier with the Twilio CLI

    To lookup a phone number with the Twilio CLI you will need:

    Follow instructions to install the Twilio CLI then in your terminal log in with your account credentials found in the console:

    twilio login

    You can query the Twilio Lookup API for information about a phone number. There are two Types  of requests the API can perform:

    1. Carrier - includes line type (i.e. mobile, landline, voip) and telecom provider (i.e. Verizon, Level 3 Communications, Twilio)
    2. Caller name - includes caller identification information when available …
    Read More
  • Newer
    Sign up and start building
    Not ready yet? Talk to an expert.