Level up your Twilio API skills in TwilioQuest, an educational game for Mac, Windows, and Linux. Download Now
Build the future of communications.
Start building for free

Authy posts

  • By Joseph Udonsak
    Implement Two-Factor Authentication With Symfony and Twilio's Authy App and API Implement Two-Factor Authentication With Symfony and Twilio's Authy App and API

    The username and password are dead! Well, not really. But considering the times we live in, it’s dangerous to rely on them alone. Computers are getting faster and better at guessing our passwords. And there are numerous databases containing stolen passwords roaming the web. Consequently, you also need to use Two-factor Authentication (2FA) in order to keep your account safe.

    In this article, I will show you how to implement Two-factor authentication in a Symfony application using the Authy app to add an extra level of authentication to the traditional login form.


    Let's get started

    To get started, create a new Symfony project, named 2-fa-demo, and switch to the newly created project’s directory using the commands below.

    symfony new 2-fa-demo
    cd 2-fa-demo

    Next, you need to install …

    Read More
  • By Mingchao Ma
    How to configure Auth0 MFA using Twilio Verify How to configure Auth0 MFA using Twilio Verify

    As part of Twilio's account security offerings, the Twilio Verify API makes it simple to add user verification and Multiple Factor Authentication (MFA) to any user authentication flow. It supports One Time Passcodes (OTP) sent via voice, SMS, and email. App-based push authentication was also recently added to the Verify service.

    Auth0 is a popular Identity Access Management (IAM) platform. If you are an Auth0 customer and want to use Twilio Verify for Multiple Factor Authentication (MFA), please read on.

    This blog post will walk you through the steps of how to configure Auth0 to use Twilio Verify for MFA. It will use both Verify SMS channel and Voice channel to deliver OTPs so users can choose to receive the OTP via SMS or Voice.

    What will you need?

    Read More
  • By Kelley Robinson
    3 ways to implement PSD2's strong customer authentication (SCA) requirement 3 ways to implement SCA

    The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) when a payer:

    • Initiates an electronic payment over €30*
    • Accesses their payment account online
    • Does any other remote action "which may imply a risk of payment fraud or other abuses"

    This applies to:

    • Business and/or customers in the European Economic Area
    • Online/debit or credit card-not-present transactions

    Originally the deadline was September 2019, but that's been extended until 31 December 2020 (the SCA deadline in the UK is now 14 September 2021).

    There are three ways to use Twilio to implement SCA for transactions in your application:

    1. Verify SMS One-Time Passcodes (OTP)
    2. Push authentication
    3. Transactional TOTP

    This post will give an overview of each method and provide resources to get started.

    *exempted payments include:

    • Low risk transactions (based on provider's fraud rates)
    • Recurring payments (fixed or variable "merchant initiated")
    • Over the phone payments

    SCA requirements for card-not-present transactions

    SCA …

    Read More
  • By Kelley Robinson
    How to use the Authy API with Google Authenticator (or any compatible authenticator app) How to use the authy api with google authenticator

    TOTP, or Time-based One-time Passwords, is a way to generate short lived authentication tokens commonly used for two-factor authentication (2FA). The algorithm for TOTP is defined in RFC 6238, which means that the open standard can be implemented in a compatible way in multiple applications. You might be familiar with TOTP from apps like Authy or Google Authenticator, but there are a lot of other options including Duo and Microsoft Authenticator.

    Getting users to enable 2FA is half the battle of improving account security, so I recommend giving your customers flexibility over which authenticator app they use.

    The Authy API (connected to, but different than the Authy App) defaults to enrolling the user in the Authy App but this post will show you how to use the API in a way that lets your customers use the authenticator app of their choice.

    Did you know? TOTP is an …

    Read More
  • By Kelley Robinson
    How to incentivize users to enable 2FA 2fa incentives header

    Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?

    A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.

    This sentiment reflects something the security researcher Cormac Herley wrote about a decade …

    Read More
  • By Kelley Robinson
    Best practices to secure inbound calls to your contact center Best practices to secure your contact center header

    As companies firm up their website authentication with increased security like two-factor authentication, attackers are flocking to less secure channels like call centers to impersonate their victims and gain access to their accounts. Account takeover (ATO) like this is growing at a staggering rate, up 72% in 2019 according to the 2020 Javelin Identity Fraud Study, "due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information". As businesses move more of their operations away from in-person stores in the wake of COVID-19, call center security is more important than ever.

    While ATO is possible on your website, over half of financial services companies said call centers were the primary attack channel for ATO. That's because call center agents are fallible to social engineering, a form of hacking that uses psychological manipulation to bypass security measures guarded by humans. …

    Read More
  • By Chris Hranj
    Two-Factor Authentication with Authy, Crystal, and Amber Two-Factor Authentication with Authy, Crystal and Amber.png

    Crystal is a powerful up-and-coming language which boasts a Ruby-like syntax but with the speed of C. You may have seen a few Crystal posts on the Twilio blog before written by Twilio’s own Phil Nash.

    crystal logo

    This blog post will cover how to secure a Crystal web application by adding two-factor authentication (2FA) using Authy. The finished source code can be found on GitHub.

    Crystal is a newer language which is evolving quickly, so it's important to note that the code in this post is on Crystal version 0.34.0 and Amber version 0.34.0.

    Setting Up

    The first step before diving into this post is to install/understand a few things:

    • Crystal
    • Amber Framework - Several Crystal web frameworks are starting to pop up. This post will focus on Amber. Amber’s goal is to make building Crystal web applications fast, simple, and enjoyable.
    • PostgreSQL - Amber supports Postgres, MySQL, …
    Read More
  • By Kelley Robinson
    Is email based 2FA a good idea? email blog header

    Like everything in security, whether or not it’s safe to use email as a delivery channel for two-factor authentication (2FA) will depend on who your users are and what you're trying to protect.

    That said, email based 2FA is usually going to protect your users more than it is going to hurt them, especially if it's offered as an option alongside more secure channels like TOTP. Much like SMS based 2FA, which can protect 96% of bulk phishing attacks and 76% of targeted attacks, any 2FA is going to be better than no 2FA at all.

    A quick note: email verification vs. 2FA

    This post addresses the tradeoffs of ongoing login verification using email two-factor authentication. Verifying a user's email address the first time they provide it is a best practice to reduce fraud, ensure deliverability, and maintain a good sending reputation.

    Chase bank offers SMS and email based 2FA

    Services like Chase bank offer email …

    Read More
  • By Brian Iyoha
    Sending One-time Passwords in WhatsApp using PHP, Laravel, and the Twilio API for WhatsApp Send One Time Passwords using Twilio API for WhatsApp

    WhatsApp is often contested as the world’s most popular messaging app, allowing its users to communicate securely and in real-time. As a business owner, you can build upon the speed and security provided by WhatsApp to engage with your customers, send alerts and notifications, provide customer support, or even send One-Time Passwords (OTPs) to your customers.

    In this tutorial, you will learn how to send WhatsApp notifications to your users by sending out one-time passwords (OTP) via WhatsApp using the Twilio API for WhatsApp during registration.


    To follow through with this tutorial, you will need the following:

    Project Setup

    This tutorial will make use of Laravel, so the first step is to generate a new Laravel application. Using the Laravel Installer, generate a new Laravel project by running the …

    Read More
  • By Mingchao Ma
    Integrate Twilio Verify Service with RSA SecurID RSA Verify header

    Many organisations in the banking sector are still using RSA SecurID with hardware tokens for multi factor authentication (MFA). However, employees might forget their hardware token thus won’t be able to login. This leads to high support costs, poor user experience and  reduced productivity. This is the exact challenge that one of our customers in banking is trying to address. So we worked together to explore how Twilio Verify Service can be leveraged as an alternative MFA. This will allow their employees to login their protected systems by using a One-Time Password (OTP) delivered to their employee’s mobile phone.

    This blog post will walk you through the steps of how to integrate Twilio Verify service with RSA SecurID. RSA also published the integration guide and step by step instruction at RSA webiste.

    How does Twilio Verify work with RSA SecurID?

    We use Twilio Functions as a proxy between RSA Authentication …

    Read More
  • Newer
    Sign up and start building
    Not ready yet? Talk to an expert.