TOTP, ou Time-based One-time Password (senha de uso único), é uma maneira de gerar tokens de autenticação de curta duração que são comumente usados para autenticação de dois fatores (2FA). O algoritmo de TOTP é definido no RFC 6238, o que significa que o padrão aberto pode ser implementado de forma compatível em vários aplicativos. Você pode estar familiarizado com a TOTP de aplicativos como o Authy ou o Google Authenticator, mas há muitas outras opções, incluindo o Duo e o Microsoft Authenticator.
Fazer com que os usuários habilitem a 2FA é metade da batalha para melhorar a segurança da conta. Portanto, recomendo dar flexibilidade aos clientes para que eles escolham o app autenticador de sua preferência.
Proposer l’A2F (authentification à deux facteurs) n’aide pas à sécuriser vos clients s’ils n’optent pas pour cette fonctionnalité. L’A2F aide à protéger les utilisateurs si le premier facteur, souvent un mot de passe, est compromis. La compromission de ce facteur est commune car il est facile de deviner des mots de passe qui ont fuité sur un autre site. Les utilisateurs les plus conscients des risques de sécurité ont sûrement déjà des mots de passe forts et uniques. Ils n’ont peut-être pas besoin d’être convaincus pour activer l’A2F, mais comment convaincre les utilisateurs plus vulnérables d’activer des mesures de sécurité supplémentaires?
Une étude de 2019 sur la facilité d’utilisation de l’A2F a conclu que 29% des gens pensaient que les inconvénients de l’A2F valaient le compromis de sécurité. “Je ne pense simplement pas que j’ai quoique ce soit que quelqu’un pourrait vouloir me prendre, donc je pense que c’est …
La régulation européenne des Directives sur les Services de Paiement (PSD2) exige une Authentification Forte du Client (SCA) lorsqu’un client :
- Initie un paiement électronique de plus de 30€*
- Accède à son compte bancaire en ligne
- Effectue n’importe quelle autre action à distance “qui puisse comporter un risque de fraude ou d’abus”.
Ceci s’applique à :
- Les entreprises et/ou les clients au sein de l’Espace Economique Européen
- Les transactions en ligne ou sans la présence de carte de débit ou de crédit.
Initialement, la date limite pour se conformer à cette nouvelle réglementation était en septembre 2019 mais elle a été rallongée jusqu’au 30 décembre 2020 (la date limite de la SCA au Royaume-Uni est maintenant fixée au 14 septembre 2021).
Il y a trois façons d’utiliser Twilio lors de la mise en place de la SCA pour les transactions dans votre application:
- Pour la vérification des mots de passe …
The Verify API is an evolution of the Authy API with continued support for SMS, voice, and email one-time passcodes, an improved developer experience and new features. The Authy API will be maintained for the time being, but new development will be on the Verify API.
Some of the exciting features of the Verify API include:
- Push authentication SDKs embeddable in your mobile app
- Programmable rate limits
- Improved visibility and insights
This article applies to the Authy API. The Authy app is not going away. We are committed to growing, developing, and supporting the Twilio Authy app as a consumer application and as a complement to our work on the Verify API.
This guide provides an introduction to the Verify API and a set of guidelines to migrate your application from Authy to Verify.
Verify Base API …
The username and password are dead! Well, not really. But considering the times we live in, it’s dangerous to rely on them alone. Computers are getting faster and better at guessing our passwords. And there are numerous databases containing stolen passwords roaming the web. Consequently, you also need to use Two-factor Authentication (2FA) in order to keep your account safe.
- A basic working understanding of PHP and Symfony
- PHP 7.4
- A Twilio account
- The Authy app
- The Symfony CLI
Let's get started
To get started, create a new Symfony project, named
2-fa-demo, and switch to the newly created project’s directory using the commands below.
symfony new 2-fa-demo cd 2-fa-demo
Next, you need to install …
As part of Twilio's account security offerings, the Twilio Verify API makes it simple to add user verification and Multiple Factor Authentication (MFA) to any user authentication flow. It supports One Time Passcodes (OTP) sent via voice, SMS, and email. App-based push authentication was also recently added to the Verify service.
Auth0 is a popular Identity Access Management (IAM) platform. If you are an Auth0 customer and want to use Twilio Verify for Multiple Factor Authentication (MFA), please read on.
This blog post will walk you through the steps of how to configure Auth0 to use Twilio Verify for MFA. It will use both Verify SMS channel and Voice channel to deliver OTPs so users can choose to receive the OTP via SMS or Voice.
What will you need?
The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) when a payer:
- Initiates an electronic payment over €30*
- Accesses their payment account online
- Does any other remote action "which may imply a risk of payment fraud or other abuses"
This applies to:
- Business and/or customers in the European Economic Area
- Online/debit or credit card-not-present transactions
Originally the deadline was September 2019, but that's been extended until 31 December 2020 (the SCA deadline in the UK is now 14 September 2021).
There are three ways to use Twilio to implement SCA for transactions in your application:
- Verify SMS One-Time Passcodes (OTP)
- Push authentication
- Transactional TOTP
This post will give an overview of each method and provide resources to get started.
*exempted payments include:
- Low risk transactions (based on provider's fraud rates)
- Recurring payments (fixed or variable "merchant initiated")
- Over the phone payments
SCA requirements for card-not-present transactions
TOTP, or Time-based One-time Passwords, is a way to generate short lived authentication tokens commonly used for two-factor authentication (2FA). The algorithm for TOTP is defined in RFC 6238, which means that the open standard can be implemented in a compatible way in multiple applications. You might be familiar with TOTP from apps like Authy or Google Authenticator, but there are a lot of other options including Duo and Microsoft Authenticator.
Getting users to enable 2FA is half the battle of improving account security, so I recommend giving your customers flexibility over which authenticator app they use.
The Authy API (connected to, but different than the Authy App) defaults to enrolling the user in the Authy App but this post will show you how to use the API in a way that lets your customers use the authenticator app of their choice.
Did you know? TOTP is an …
Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?
A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.
This sentiment reflects something the security researcher Cormac Herley wrote about a decade …
As companies firm up their website authentication with increased security like two-factor authentication, attackers are flocking to less secure channels like call centers to impersonate their victims and gain access to their accounts. Account takeover (ATO) like this is growing at a staggering rate, up 72% in 2019 according to the 2020 Javelin Identity Fraud Study, "due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information". As businesses move more of their operations away from in-person stores in the wake of COVID-19, call center security is more important than ever.
While ATO is possible on your website, over half of financial services companies said call centers were the primary attack channel for ATO. That's because call center agents are fallible to social engineering, a form of hacking that uses psychological manipulation to bypass security measures guarded by humans. …