By 
While it is generally agreed that two-factor authentication (2FA) is an increasingly important means of adding security to your user accounts, you’ve probably heard of stories where the phone number used to enable 2FA ended up part of a data breach or was misused by the website. This has led to an unwillingness with some people to provide their phone number.
To address this, we updated Twilio’s Authy API to allow 2FA to be implemented on websites without having to collect the phone number from the user.
Why Authy asks for the phone number
Before we look at the new change, it’s worth understanding how Authy was designed to use your phone number. There are two elements to the Authy solution, the API which businesses use to integrate 2FA into their applications, and the Authy app which consumers use to generate 2FA codes. The phone number ties ...
We look at the trends for how websites and consumers deal with the threat of data breaches.
Connecting our human selves to our digital identities is hard. How does your bank know it’s really you behind the browser opening a new account? How does Facebook know the person logging in from a computer in Turkey is you on vacation, and not some cyber criminal?
Since the 1950’s, we’ve been relying on usernames and passwords to make the connection between people and their computers. However, given today’s constant barrage of websites hacked and data stolen, it’s clear we no longer can rely on a simple username and password to keep us safe. How is it that so many companies large and small do not adequately protect our data? Are developers working on improving security in the applications they build? Are we any safer now than we ...
We’ve recently updated Twilio’s market leading set of APIs for account security with reporting and event notification capabilities to give you real time, and detailed data about user verifications, authentications and other important account security events.
Protecting your customer accounts requires constant monitoring of your sign-up, authentication, and recovery processes to look for trends and areas for improvement. The ways in which users interact with your application also need constant review to deliver the most secure yet friction free experience.
Using webhooks for real-time notifications, and running reports against our API will give you valuable insight into your account security workflows. This article will go over two API updates:
Knowing when something happens, as it happens
Let’s start with the webhooks API. There are a range of API interactions that will trigger a webhook event. For example when someone finishes installing the Authy ...
Twilio’s market leading two-factor authentication API, Authy, has added support for Google Authenticator and other TOTP-standard apps. This new API update gives customers of our API the ability to accept tokens generated from Authy or any other TOTP compliant application. The enhancement increases the broad scope of options the API currently gives to your end users and allows your developers to continue to rely on the Twilio 2FA API, reducing effort to implement and maintain your 2FA solution.
When a user account is protected with 2FA, the most common method is the entry of a one time passcode (OTP) after they’ve first provided a valid username and password. The user gets the OTP either via SMS, a voice call, or (the most secure option) from a mobile or desktop app. When an app is involved, the passcode is generated using time as a reference, and therefore the method ...
It seems that every month some new payment app pops up looking to be the next category disruptor. Innovative companies like TransferWise are making headlines, with simple to use smartphone apps that allow you to send money abroad, quickly and cheaply. Amazingly, Transferwise is already profitable and handling nearly £1 billion ($1.3 billion USD) in transactions a month. Bitcoin valuations are racing through the roof. And there are even lines of digital jewelry (Kerv, NFCRing). Wear one of these “payment rings” on your finger, and you’ll pay for your next burger and fries without reaching for your wallet.
In the wake of all the amazing advancements in ways to send money to friends or pay for things we buy, are regulations to ensure that consumers can use these new technologies safely and without worry. The most pressing, due to a January 2018 deadline, is the European Union Commission ...
Effective immediately, developers looking for the configuration and settings for the Authy API will find them within two new sections of the Twilio Console at twilio.com/console. Our Two-factor Authentication API (Authy) and our Phone Verification API (Verify) can be found in the “Authy” and “Verify” sections of the Twilio Console respectively.
Since Twilio acquired Authy back in 2015, The Authy API has been carefully and deeply integrated to take advantage of Twilio’s systems, scale, and expertise. This has improved the deliverability of 2FA and Phone Verification messages and voice calls, and hardened the reliability of our API infrastructure. Leveraging the Twilio Console as a central place for our customers to manage their account security products is another improvement we’re making in the quality of our offerings. With this change, you can get access to the following new features within the Twilio Console.
- Improved Authy user (authy_id ...
If you use SMS to send codes for two-factor authentication logins or to verify ownership of a phone numbers, you need to be aware of a growing trend where wireless carriers are starting to block your traffic and thus preventing people from signing up and logging into your application. Twilio has two APIs, Verify and Authy, which can help avoid these issues because they are pre-configured to comply with carriers changing policies.
For example Canada’s approach to reduce unwanted messages is to encourage use of short codes instead of long codes. Carriers are supporting this preference through increased filtering of A2P traffic on long codes. The change in law came from the Canadian Radio-television and Telecommunications Commission (CRTC) which, in 2017, started enforcing updates to Canada’s Anti-Spam Legislation (CASL). Specifically, they target bulk SMS messages sent from long codes, i.e. ten-digit phone numbers like (236) 555-1212. This ...
With the Twilio Authenticator SDK you can now fully embed the latest in mobile authentication technology into your own mobile apps while having complete control over the user authentication experience. And we’ve just updated it to include offline authentication.
This past summer the Twilio Authenticator SDK was launched to allow companies to embed push authentication into any iOS or Android mobile application. Push authentication is the most secure — and the most user-friendly — solution for using a mobile device as an authenticator. However, there is a significant limitation with push authentication: the mobile device has to be online. Consider just a few scenarios where this might be a challenge:
- You’re jetting at 30,000 feet, and you’ve paid $30 for in-flight WiFi for your laptop, not your mobile phone. It’d be expensive to pay another $30 just to get that single authentication event on your phone.
- You ...
Using SMS for 2FA security has recently been getting a legitimately bad rap, with a significant increase in successful attempts to intercept or redirect the 2FA codes sent via SMS as part of a login. We’ve addressed these issues (and more) with updates to the Twilio Authy API; making it possible to bypass sending SMS-based 2FA for a more secure, and less costly, authentication. The API now sends enhanced information from devices to allow you to make risk-based decisions for users authenticating to your applications.
The preferred alternative to SMS is to utilize smartphone apps that generate time-based, one-time passcodes (often referred to as TOTP). Or even better, deliver push notifications to initiate a more user-friendly, more secure approve or deny style of authentication. Because this all runs in software on a device, we can gather a little data to help you answer important questions about the authentication process ...
Starting today, you can embed the very latest authentication technology into your own mobile apps with our Twilio Authenticator SDK, configurable from the Twilio Console. With the Twilio Authenticator SDK, you can now deliver secure and user friendly authentication directly inside your own mobile apps.
We all know passwords alone are a horrible way to protect your users and their data. Research (2013, 2014, 2015, 2016) has repeatedly shown that consumers use, and even reuse, weak passwords despite acknowledging the inherent risks. Placing the burden of security on your users is a sure fire way to find yourself listed on data breach websites.
Two-factor authentication has become the ideal method to secure against password theft. The latest 2FA methods use push notifications which prompt users with a friendly message, asking them to approve the login currently taking place. Examples of this new style of authentication can be seen below from ...