How to use Authy for Offline, Transaction Specific, PSD2 Compliant Authentication
One of the best features about using Soft Tokens or Time-based One Time Passwords (TOTP) for authentication is that they are available offline. The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) for all transactions over €30 by September 2019. Part of the regulation requires that SCA ties transaction-specific information to the authentication, called Dynamic Linking.
This post will show you how to use a new feature of the Authy API and application to implement a compliant offline solution for your application. For more detail on PSD2, SCA, and dynamic linking, check out this post. You can also build SCA with push authorization or SMS, which we show in this blog post.
To code along with this post, you’ll need:
- A Twilio account
- An Authy Application which you can create in the Twilio console. I named mine "Example Transactional TOTP"
- A recent version of ...
New Authy API Features for PSD2-compliant authentication
From 14th September 2019, millions of European consumers will experience a change in the way they complete online payments. A new European banking law, PSD2, will mandate a stronger form of two-factor authentication (2FA) for all online and over-the-phone payments. This extra layer of friction will impact conversion and sales for online businesses.
Twilio has been hard at work to help businesses navigate this massive change and minimize impact. We’ve updated both the Authy API and our free Authy app to help you meet all the requirements of Strong Customer Authentication (SCA) and be PSD2-compliant.
PSD2 introduces authentication requirements that go above and beyond typical 2FA:
- Each authentication code must be specific to the transaction amount and recipient, and
- Both the payment amount and recipient must be made clear to the payer when authenticating.
The Authy API has several methods for completing authentications. Push authentication meets ...
Building Expedited Two-Factor Authentication into Angular Apps with Authy
Two-Factor Authentication (2FA) provides web applications with an important additional layer of security, but 2FA requires the user to perform an additional action each time they log in. This extra step can be wearying for users who sign into an application frequently. Is it possible to maintain the security provided by a second factor while making an application convenient for repeat visitors? It is with Angular, Node.js, and Twilio Authy.
Implementing a “remember me” checkbox on the login page is a convenient way for a user to indicate they are going to be a repeat visitor. Behind the scenes, an encrypted security cookie is a convenient mechanism for identifying a user who has previously checked the “remember me” box and logged in successfully from a specific machine.
What I Learned About Security from Calling 35 Contact Centers
Web applications often have secure login systems—maybe even 2FA—but what happens when a customer calls the customer support phone number? Security teams and app developers have thought a lot about online authentication, but haven't applied the same rigor to designing systems for authenticating over the phone.
At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This post will take a look at that research and outline best practices to use in call centers.
To test the over-the-phone authentication, I made a list of companies where:
- I have an existing account
- There is personal info tied to ...
PSD2 Compliant Authorization: Verifying Sensitive Actions with Python, Flask and Authy
PSD2 & SCA
The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) for all transactions over €30 by September 2019. This post will show you how to implement a compliant solution for your application. For more detail on PSD2, SCA, and dynamic linking, check out this post.
How Twilio Can Help with Strong Customer Authentication in PSD2
This is the second of a three-part series of posts detailing PSD2: Strong Customer Authentication in the EU (SCA).
In the first part of this series, we looked into PSD2’s requirements for dynamic linking, and established that Two-Factor Authentication (2FA) can be used for Strong Customer Authentication (SCA). In this piece, we’ll look at the different types of 2FA you can use with Twilio’s Authy API and how it can help you meet dynamic linking requirements.
Authy is a fully featured authentication API that makes it simple to add 2FA or passwordless login to your applications. It supports One Time Passwords (OTP) sent via voice and SMS, Time-based One Time Passwords (TOTP) generated in the free Authy app or via an SDK, and push authentications via the same Authy app or SDK. This article covers both push authentication and OTP via SMS and voice. TOTP will be ...
Build Two-factor Authentication in Angular with Twilio Authy
User authentication is a crucial requirement for many Angular applications and simply logging in with user ID and password is increasingly inadequate security. Two-Factor Authentication (2FA) provides device-based security that is substantially more difficult to hack, but building your own 2FA system is a daunting challenge. Twilio Authy makes it easy to add 2FA to Angular apps.
This post will show you how to add Authy to your Angular project. You’ll also learn how to improve the user’s experience and your app’s security by using Angular Universal to implement the login process.
In this post we will:
- Create a basic Angular application with a login page
- Set up an authorization guard service and an authorization service
- Add server-side rendering with Angular Universal
- Set up server-side authentication
- Implement two-factor authentication with Twilio Authy
Prerequisites to build with Angular and Authy
To accomplish the tasks in this post you ...
Understanding Dynamic Linking in PSD2
This is the first of a series of posts detailing the EU’s PSD2 Strong Customer Authentication (SCA).
Riding on the convenience of same-day delivery and 1-click payments, online purchases are conquering the consumer marketplace. But they face a serious new challenge starting in September 2019, when any card-not-present transaction over 30 Euros will see an increased amount of friction by requiring payer authentication.
The European Banking Authority has issued rules and regulations in the form of the Payment Services Directive 2 (PSD2), a policy that regulates all payment service providers completing a payment in EU member states and applies to businesses around the world. The main goal of PSD2 is to open the payment ecosystem, allowing for new technologies that aim to simplify online payments or transfers. However, another aspect of the policy is to address concerns about rising costs of fraud for online financial transactions by mandating strong ...
Alphanumeric Sender IDs For Improved Authentication and User Verification Security
When using SMS to verify a phone number or for two-factor authentication, it’s essential that the message successfully gets to the intended user, without delay, in order to maximize conversion. However, there are a lot of variables in ensuring reliable and fast delivery of messages globally. Some routes are faster than others, while certain destinations only allow messages from specific kinds of numbers, and carriers will often filter repeated messages, thinking they’re spam.
Because configuring efficient and reliable SMS delivery can be complex, and will likely require constant maintenance, Twilio offers two pre-built APIs, Verify and Authy, which spare developers the hassle of trying to making sure your verification and authentication SMS messages get to their intended recipients quickly and consistently.
As part of our ongoing improvements to these APIs, we are announcing the introduction of AUTHMSG, an Alphanumeric Sender ID, for use in 79 countries, which will ...
What is Public Key Cryptography?
From TLS to authentication, “crypto” is used for a lot more than just currencies. In 2018, security should be part of every developer's toolkit and cryptography a fundamental building block for the libraries and tools we use to protect our data and applications. This post will dive into modern cryptography, an overview of how it works, and its everyday use cases — including how Twilio uses public-key crypto in our Authy application and to secure our API.
Let's start with some context and history.
Meet Alice and Bob
Alice and Bob have a history of illicit dealings. We're not really sure what they're up to, but they don't want us, or the ever-curious Eve, to know. Before the internet, Alice and Bob could pass secret messages by encrypting text with an agreed upon cipher. Maybe that was through letter substitution or shifting or other sophisticated methods. They agreed on the method ...