Level up your Twilio API skills in TwilioQuest, an educational game for Mac, Windows, and Linux. Download Now
Build the future of communications.
Start building for free

Authy posts

  • By Kelley Robinson
    How to incentivize users to enable 2FA 2fa incentives header

    Offering two-factor authentication (2FA) doesn't help secure your customers if they don't opt in to the feature. 2FA helps protect users if the first factor, usually a password, is compromised. Compromise is common for easy to guess passwords and for reused passwords that are breached on another site. The most security conscious users may already have strong, unique passwords and may not need to be convinced to enable 2FA, so how do you convince the most vulnerable users to turn on additional security features?

    A 2019 study on 2FA usability found that only 29% of people thought the inconvenience of 2FA was always worth the security tradeoff. "I just don’t think I have anything that people would want to take from me, so I think that’s why I haven’t been very worried about it," one participant noted.

    This sentiment reflects something the security researcher Cormac Herley wrote about a decade …

    Read More
  • By Kelley Robinson
    Best practices to secure inbound calls to your contact center Best practices to secure your contact center header

    As companies firm up their website authentication with increased security like two-factor authentication, attackers are flocking to less secure channels like call centers to impersonate their victims and gain access to their accounts. Account takeover (ATO) like this is growing at a staggering rate, up 72% in 2019 according to the 2020 Javelin Identity Fraud Study, "due in large part to technological advancements that have made it easier for criminals to manipulate and socially engineer information". As businesses move more of their operations away from in-person stores in the wake of COVID-19, call center security is more important than ever.

    While ATO is possible on your website, over half of financial services companies said call centers were the primary attack channel for ATO. That's because call center agents are fallible to social engineering, a form of hacking that uses psychological manipulation to bypass security measures guarded by humans. …

    Read More
  • By Chris Hranj
    Two-Factor Authentication with Authy, Crystal, and Amber Two-Factor Authentication with Authy, Crystal and Amber.png

    Crystal is a powerful up-and-coming language which boasts a Ruby-like syntax but with the speed of C. You may have seen a few Crystal posts on the Twilio blog before written by Twilio’s own Phil Nash.

    crystal logo

    This blog post will cover how to secure a Crystal web application by adding two-factor authentication (2FA) using Authy. The finished source code can be found on GitHub.

    Crystal is a newer language which is evolving quickly, so it's important to note that the code in this post is on Crystal version 0.34.0 and Amber version 0.34.0.

    Setting Up

    The first step before diving into this post is to install/understand a few things:

    • Crystal
    • Amber Framework - Several Crystal web frameworks are starting to pop up. This post will focus on Amber. Amber’s goal is to make building Crystal web applications fast, simple, and enjoyable.
    • PostgreSQL - Amber supports Postgres, MySQL, …
    Read More
  • By Kelley Robinson
    Is email based 2FA a good idea? email blog header

    Like everything in security, whether or not it’s safe to use email as a delivery channel for two-factor authentication (2FA) will depend on who your users are and what you're trying to protect.

    That said, email based 2FA is usually going to protect your users more than it is going to hurt them, especially if it's offered as an option alongside more secure channels like TOTP. Much like SMS based 2FA, which can protect 96% of bulk phishing attacks and 76% of targeted attacks, any 2FA is going to be better than no 2FA at all.

    A quick note: email verification vs. 2FA

    This post addresses the tradeoffs of ongoing login verification using email two-factor authentication. Verifying a user's email address the first time they provide it is a best practice to reduce fraud, ensure deliverability, and maintain a good sending reputation.

    Chase bank offers SMS and email based 2FA

    Services like Chase bank offer email …

    Read More
  • By Brian Iyoha
    Sending One-time Passwords in WhatsApp using PHP, Laravel, and the Twilio API for WhatsApp Send One Time Passwords using Twilio API for WhatsApp

    WhatsApp is often contested as the world’s most popular messaging app, allowing its users to communicate securely and in real-time. As a business owner, you can build upon the speed and security provided by WhatsApp to engage with your customers, send alerts and notifications, provide customer support, or even send One-Time Passwords (OTPs) to your customers.

    In this tutorial, you will learn how to send WhatsApp notifications to your users by sending out one-time passwords (OTP) via WhatsApp using the Twilio API for WhatsApp during registration.


    To follow through with this tutorial, you will need the following:

    Project Setup

    This tutorial will make use of Laravel, so the first step is to generate a new Laravel application. Using the Laravel Installer, generate a new Laravel project by running the …

    Read More
  • By Miguel Grinberg
    Push Two-Factor Authentication in Python with Twilio Authy Push Two-Factor Authentication in Python with Twilio Authy

    Two-Factor Authentication (2FA) is one of the most effective ways to increase the security of online accounts and consequently reduce online identity theft. The 2FA implementation used by most applications is based on the Time-based One-Time Password algorithm, which requires users to read a numeric code from a hardware token generator or smartphone app and enter it on an application’s website to confirm their login attempts.

    Unfortunately, many users find this extra login procedure tedious and inconvenient. There have been efforts to simplify the 2FA flow with the goal of increasing adoption.

    A new method that is gaining popularity is Push Authentication, where instead of expecting a numeric code, the application server sends a push notification to the user’s smartphone. The only action for the user is to tap a button in this notification to confirm that the login attempt is legitimate.

    In this article, I will go …

    Read More
  • By Brian Iyoha
    Securing a Laravel PHP Application with 2FA using Twilio Authy Securing a Laravel PHP Application with 2FA using Twilio Authy

    In this tutorial, you will learn how to secure your Laravel application with Two-factor authentication using Twilio Authy.


    Completing this tutorial will require the following:

    Getting Started

    Create a new Laravel project using the Laravel Installer. If you don’t have it installed or prefer to use Composer, you can check out how to do so from the Laravel documentation. Run the following command in your terminal to generate a fresh Laravel project:

    $ laravel new twilio-authy

    Next, you will need to set up a database for the application. For this tutorial, we will make use of MySQL database. If you make use of a database administrator like phpMyAdmin for managing your databases then go ahead and create a database named twilio-authy and skip this section. If not, install MySQL from …

    Read More
  • By Nabeel Saeed
    Staying Safe on CyberMonday authy-blog-image

    Online shopping doesn’t wait for Cyber Monday. Walmart started dropping prices on October 25th, a full month before Black Friday — the day after Thanksgiving — and consumers were ready for them: 45% of respondents in a recent survey said they already made plans to start holiday shopping before November. In fact, 54% of those surveyed said they intend to shop online during the five days between Black Friday and Cyber Monday.

    The popularity of Cyber Monday, combined with the availability of public Wifi and the simplicity of one-touch mobile transactions, gives cybercriminals and hackers with bad intentions a perfect opportunity to take advantage of unsuspecting consumers. As with every year, there are sure to be plenty of bogus websites and phony emails intent on separating you from your money — or worse — your identity. So, if you’re planning on post-Thanksgiving shopping from your laptop or mobile device …

    Read More
  • By Nabeel Saeed
    Authy trust-chain for added devices Authy-Header.png


    Lately, we've seen a number of news items concerning SIM swapping. That's where hackers take advantage of limitations in mobile devices and SMS-based communications to commit identity theft or account takeovers. There have even been some questions about whether authenticator apps that don't rely on SMS for token delivery are also susceptible. Or whether or not a SIM swap would enable a hacker to assume control of a phone number and install an authentication app to gain access to an already-protected online account.

    Twilio is now providing tools to help our authentication customers address this  issue. Working together, the Authy authentication API and the free Authy 2FA app create a chain of trust that allows Twilio/Authy customers to determine which end-user apps to trust for authentication. They record uniquely identifiable numbers assigned to every installed app, as well as the sequence of app installs and the methods of installation. Through …

    Read More
  • By David Lowes
    Building Blocks for a Modern and Conversational IVR modern_ivr.png

    Many IVRs expect too much from customers - they lack customizability and require your customers to patiently learn how to use the IVR. What if you could replace this with a natural conversational IVR? What if you could add security and personalized customer data and deploy this using multiple channels? 

    Well, you can! In this two-part blog post, we’re going to use Twilio APIs as “building blocks” to build an IVR for our pseudo-business, Signal Hardware. Here is the stack:


    Layer 1 - Studio and Autopilot

    In the first Layer of our IVR we’re using Twilio Studio and Autopilot to give us structure, flexibility and control of our workflow.

    Studio is a virtual application builder. It allows you to rapidly create communication flows using pre-built widgets. Autopilot is our Natural Language Processing and Machine Learning platform. Where Studio creates our structure inside of a UI, Autopilot allows us to have …

    Read More
  • Newer
    Sign up and start building
    Not ready yet? Talk to an expert.