As part of our mission to be the most trusted customer engagement platform on the planet, Twilio has the responsibility to secure customer accounts.
Starting October 12, 2020, we began enforcing mandatory two-factor authentication (2FA) as an additional layer of login protection for all Twilio customers with paid accounts. The 2FA requirement excludes trial accounts.
This post will explain what’s changing, show how it will affect your Twilio account, walk you through how to set up 2FA in your account, and answer the most frequently asked questions about the requirements.
What is 2FA?
Two-factor authentication (2FA) is a security feature that requires you to provide two types of authentication – something you know (your password), and something you have (a device receiving one-time verification codes) – in order to access your accounts.
Why is Twilio requiring 2FA for paid accounts?
Identity theft is the fastest growing crime in the U.S and is only increasing in size, sophistication, and cost. In 2020, Americans lost more than $192 million in over 260,000 reports of fraud related to COVID-19 alone, according to the Federal Trade Commission report. And 2FA can mitigate 99.9% of account takeovers, according to a recent study.
Twilio is committed to making it more difficult for bad actors who traffic in stolen credentials to gain access to Twilio accounts, thereby limiting the spread of fraudulent communications. A second factor can protect your account from accidental exposures of :
- Login credentials shared by a team of people
- Credentials used on other sites that find their way onto public forums or are exposed through breaches of those sites
By adding 2FA to your account, together we are protecting the telecom ecosystem, ensuring our phones and email inboxes are free from harmful phishing messages, and improving the delivery rate of wanted messages in the intended recipients’ inboxes.
How does this affect your account?
In order to access your paid (non-trial) Twilio account, you will need your existing login credentials (email address and password), as well as a 2FA verification code (via a call, SMS message, or an authenticator app like Authy).
If you haven’t yet set up user-level 2FA, you will be prompted to enable it in order to log into your account. Please find the steps below showing how to enable it on your account:
Steps to Enable 2FA on your Twilio account:
To ensure the safety of your account, please follow the steps below to enable 2FA.
Log in to your paid account via the Twilio Console
Enter your phone number (mobile or landline) and hit ‘Send code via SMS’. This is a one-time step to verify your identity and register your trusted device for 2FA, not to be confused with your 2FA choice for ongoing verification (which you may select later in ‘Settings’).
Enter the verification code you just received and hit ‘Verify’.
If you did not receive the code via text message, hit ‘Resend code’ or choose to receive 2FA codes via a voice call or an authenticator app.
You will see a one-time emergency code that can be used to log into your account in the event that you ever lose access to your device. Save this recovery code somewhere safe. Once used, this recovery code cannot be used again.
That’s it! You will now be asked to enter a verification code sent to your phone every time you log in from an unrecognized device, or once every 30 days from your usual device.
You can change your 2FA frequency or method from User Settings any time you are logged in.
Scroll to the "Enable Two-Factor Authentication (2FA)" section, make the desired updates and hit ‘Update’ to save your selection. (When re-enabling 2FA, Twilio will save your previously selected method as the default.)
At this time, you will need to keep your phone number on file while using 2FA with Twilio. Removing the phone number on a paid account will re-start the process to register your account for 2FA.
Frequently Asked Questions
In case the above doesn’t answer all of your questions about the change, we’ve compiled the answers to frequently asked questions about the two-factor authentication policy below.
Which methods does Twilio support for 2FA?
We support SMS, Voice, our Authy app, and any TOTP-standard apps for 2FA. Customers can choose from any of these options, but we recommend using an authenticator app.
How do I select a 2FA method?
If you have never set up 2FA for Twilio before, you will be asked to complete a mandatory one-time phone number verification process to register your device for 2FA. This is not to be confused with your choice of 2FA method for ongoing verification. There are two ways to select your desired method for 2FA:
Step 2 of the setup flow will allow you to select a voice call or authenticator app for 2FA.
You can switch between 2FA methods at any time from your User Settings.
Please follow the instructions in these detailed setup guides:
- SMS/ Voice
- Authy app
- Any other authenticator app
When did Twilio start requiring 2FA for paying customers?
We started requiring 2FA for paid customers on Oct 12, 2020 and sent email advisories to all impacted customers from July through October.
Why is Twilio still allowing SMS for 2FA without an option to disable this method?
If you have never set up 2FA for Twilio before, you are asked to complete a mandatory one-time phone number verification process to register your device for 2FA. This is not to be confused with your choice of 2FA method for ongoing verification – we’re just verifying that you are currently in control of your account.
You can switch between 2FA methods at any time from your User Settings.
What will happen if we do not set up 2FA to comply with the requirement?
As an owner or a member of a paid Twilio account, you will not be able to log in without setting up 2FA, and will risk losing access to your account or be temporarily locked out.
If paying customers do not turn on 2FA after repeated communication about the requirement, we reserve the right to suspend or close the account or may legally transfer liability of any fraud on the account.
Can I apply for an exclusion from the 2FA requirement?
No, no exceptions of any type are granted on the 2FA requirement for paying customers. SSO customers are automatically exempt from the requirement.
What is the risk of not turning on 2FA for my account?
In the absence of 2FA, your account will have insufficient protections if your password is ever compromised, and you face the risk of bad actors gaining access to your account. Additionally, we reserve the right to suspend or close the account or may legally transfer liability of any fraud on the account.
Do I have to turn on 2FA at the user level or account level?
We require 2FA to be set up by every individual user at the user level, not at the legacy account level setting. You can learn more about the difference between user and account level 2FA here.
How do I know whether I have 2FA set up?
You will be prompted for a verification code while you log in (sometimes on trusted devices, always on new devices). You can also check your current 2FA setup in your User Settings at any time.
My company requires us to use Single Sign-On to log in to Twilio. Do we still need to meet the 2FA requirement for paid customers?
No, SSO customers are automatically exempt from the 2FA requirement
Does Twilio require me to provide a phone number for 2FA?
Twilio requires a phone number as a mandatory step to create an account. As of today, we do require a phone number for 2FA as a means to recover access to your account if you lose your mobile device.
In 2021, we plan to add additional options that do not rely on phone numbers for 2FA.
Can I delete my phone number from Twilio after setting up 2FA? Can I change my number?
At this time, you may not delete your phone number from your paid account. We do require a phone number for 2FA as a means to recover access to your account if you lose your mobile device. If you delete your phone number, it will trigger a process to re-enroll your device for 2FA.
Do I need a mobile phone to use 2FA?
Mobile devices are more commonly used to receive verification codes via an app or SMS. However if you do not have a mobile phone, you can also use a landline number to receive codes through voice calls, or even Authy for desktop.
How does Twilio handle/share my phone number provided for 2FA?
We understand that when you use Twilio’s platform you are placing your trust in us to handle your data appropriately. We take a “No Shenanigans” approach to data protection. Twilio does not sell your personal information nor do we share it with third parties for their own business purposes.
Can I use an authenticator app other than Authy for 2FA?
Yes, we support any TOTP-standard apps such as Google authenticator, MS authenticator, Duo, Sophos, and FreeOTP to name a few.
For instructions on how to add another authenticator app, see this tutorial.
As a paid account owner, must I ensure every member on my Twilio account has turned on 2FA?
Any member with access to your paid Twilio account will automatically be prompted to set up 2FA when they next log in. Your account is only as secure as the weakest link, so please ensure that you audit the users on your account, ensure that they currently need access, and have them log in and set up 2FA.
We use shared login credentials to access our Twilio account, and store the password securely. What alternative do we have for 2FA?
We do not endorse or recommend sharing credentials to access accounts. We provide more secure user management by adding individual users to the Twilio accounts and granting them the appropriate access level. We recommend that customers use this as the primary means to grant access to shared accounts. As an option, you may utilize the Authy multi-device feature for 2FA to extend trust to multiple devices.
You could also consider using Single Sign On, available through ou rEnterprise Edition as an alternate secure authentication method. SSO is a much more secure alternative to password-only login and customers using SSO are exempt from the 2FA requirement.
We understand you may still have questions about the policy or be curious about how Twilio keeps your account secure. You can find additional resources at these links:
- Visit our Security hub for more information on what Twilio does to protect you.
- Learn more about the importance of 2FA in this video and blog post.
- Get help on 2FA setup and recovery in our support pages.
Thank you for keeping your Twilio account safe
We’ve built the world’s most trusted customer engagement platform, and we thank you for taking the time to help us keep your account secure.
Please log in to your paid Twilio account and enable 2FA.
Finally, we are looking to continuously remove any impediments in your security journey. If you have any thoughts or feedback, please share it with us through this form.
Ankita Bhosle is a Product Manager on Twilio’s Identity team. She’s currently focused on building delightful experiences and thoughtful APIs for our login platform. She is a product management mentor for Twilio’s Hatch apprenticeship program, a builder at heart, and a huge fan of honest design and self-deprecating humor.