Securing Your Twilio Account With 2FA

August 02, 2017
Written by

Twilio Bug Logo

Passwords alone won’t cut it. They can’t provide your users, team members, or internal databases with the level of security you need. Instead, Twilio Two-Factor Authentication adds an extra level of security that allows you to secure accounts, prevent takeovers, and protect high-value transactions.

To confidently verify user identities and protect apps or services from data loss, fraud, and malicious attacks, many companies use a combination of Twilio 2FA solutions, often combined with the free-to-download Authy 2FA end-user app for iOS, Android, and desktop. And because we wouldn’t offer a solution that we didn’t use ourselves, we’ve incorporated Twilio 2FA into our Twilio Developer Console. More on how to set that up in a bit.

3 Levels Of Account Security

Multiple levels of authentication offer a balance between security and usability.

  • Our most commonly used 2FA is SoftToken for TOTP (time-based one time password) token generation, where users manually enter in a continually refreshed multiple-digit code.
  • We also offer OneTouch, a frictionless, push notification-based solution that alerts the user that an authentication attempt is taking place. The user then has the option to view authentication details and approve or deny access with a single touch, a back-and-forth communication that is encrypted end-to-end and digitally signed. It’s our simplest and strongest authentication offering.
  • As some end-users may not have a smartphone, we offer the globally accessible OneCode, which is also often used as a fallback for SoftToken and OneTouch. Built on top of Twilio’s leading communications platform, OneCode reliably delivers TOTP tokens via SMS or voice to 200+ countries.

Each level of authentication is SOC2 compliant and offered via simple, yet powerful, REST APIs, and mobile SDKs for a 100% branded user experience. As with other Twilio offerings, self-service capabilities provide you with the most up-to-date security features.

 

Using 2FA To Protect Your Twilio Account

While two-factor authentication is an optional security feature in the Twilio Console, we strongly recommend that all Twilio customers secure their accounts to ensure applications are safe and that accounts can’t be used to send unauthorized messages, make unsanctioned voice calls, etc.

If you opt to protect your account with Twilio Two-Factor Authentication, note that it can only be enabled by the owner and/or administrator of the account. And you’ll need to choose from two different frequency settings of 2FA available:

  • Choose to require the second factor of authentication on every single login.
  • Choose to place trust in the computer used to sign in, and require security code entry just once every 30 days. Twilio will remember—and trust—your computer for the rest of the month.

 

Once enabled, Twilio 2FA protection is applied to logins of all users who access the account via the Twilio Console. After providing the correct username and password, a second factor will be required through SMS, voice, or the Authy app to let users login.

Get Started With 2FA

To enable two-factor authentication on your account, take these steps:

  1. Sign in to your Twilio account
  2. Click on Account Settings

3. Under General Settings, select the frequency for the two-factor authentication protection.

4. Save your settings

Once this feature is enabled, you will be asked to verify a code delivered to you via SMS, phone call, or via the Authy app. Depending on the path you choose the next step is illustrated below.

If receiving code via SMS:

If receiving code generated by the Authy app:

  1. Providing a correct verification code allows you to complete the process and enable two-factor security in your Twilio account.

That’s It.

Now when you login to your Twilio account you’ll need to provide a TOTP code every time (or, according to your settings, every 30 days) in addition to your username and password.

Security is serious business at Twilio as we do our best to protect physical, networking, and application components of the platform. Coupled with transparency about security practices and compliance best practices, Twilio Two-Factor Authentication gives you the confidence you need to run your business applications on top of our cloud communications platform.

 

Need more information? Talk to Sales about Twilio Two-Factor Authentication or the Authy 2FA app.