PSD2 Compliant Authorization: Verifying Sensitive Actions with Python, Flask and Authy
PSD2 & SCA
The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) for all transactions over €30 by September 2019. This post will show you how to implement a compliant solution for your application. For more detail on PSD2, SCA, and dynamic linking, check out this post.
How Twilio Can Help with Strong Customer Authentication in PSD2
This is the second of a three-part series of posts detailing PSD2: Strong Customer Authentication in the EU (SCA).
In the first part of this series, we looked into PSD2’s requirements for dynamic linking, and established that Two-Factor Authentication (2FA) can be used for Strong Customer Authentication (SCA). In this piece, we’ll look at the different types of 2FA you can use with Twilio’s Authy API and how it can help you meet dynamic linking requirements.
Authy is a fully featured authentication API that makes it simple to add 2FA or passwordless login to your applications. It supports One Time Passwords (OTP) sent via voice and SMS, Time-based One Time Passwords (TOTP) generated in the free Authy app or via an SDK, and push authentications via the same Authy app or SDK. This article covers both push authentication and OTP via SMS and voice. TOTP will be ...
Build Two-factor Authentication in Angular with Twilio Authy
User authentication is a crucial requirement for many Angular applications and simply logging in with user ID and password is increasingly inadequate security. Two-Factor Authentication (2FA) provides device-based security that is substantially more difficult to hack, but building your own 2FA system is a daunting challenge. Twilio Authy makes it easy to add 2FA to Angular apps.
This post will show you how to add Authy to your Angular project. You’ll also learn how to improve the user’s experience and your app’s security by using Angular Universal to implement the login process.
In this post we will:
- Create a basic Angular application with a login page
- Set up an authorization guard service and an authorization service
- Add server-side rendering with Angular Universal
- Set up server-side authentication
- Implement two-factor authentication with Twilio Authy
Prerequisites to build with Angular and Authy
To accomplish the tasks in this post you ...
Understanding Dynamic Linking in PSD2
This is the first of a series of posts detailing the EU’s PSD2 Strong Customer Authentication (SCA).
Riding on the convenience of same-day delivery and 1-click payments, online purchases are conquering the consumer marketplace. But they face a serious new challenge starting in September 2019, when any card-not-present transaction over 30 Euros will see an increased amount of friction by requiring payer authentication.
The European Banking Authority has issued rules and regulations in the form of the Payment Services Directive 2 (PSD2), a policy that regulates all payment service providers completing a payment in EU member states and applies to businesses around the world. The main goal of PSD2 is to open the payment ecosystem, allowing for new technologies that aim to simplify online payments or transfers. However, another aspect of the policy is to address concerns about rising costs of fraud for online financial transactions by mandating strong ...
Alphanumeric Sender IDs For Improved Authentication and User Verification Security
When using SMS to verify a phone number or for two-factor authentication, it’s essential that the message successfully gets to the intended user, without delay, in order to maximize conversion. However, there are a lot of variables in ensuring reliable and fast delivery of messages globally. Some routes are faster than others, while certain destinations only allow messages from specific kinds of numbers, and carriers will often filter repeated messages, thinking they’re spam.
Because configuring efficient and reliable SMS delivery can be complex, and will likely require constant maintenance, Twilio offers two pre-built APIs, Verify and Authy, which spare developers the hassle of trying to making sure your verification and authentication SMS messages get to their intended recipients quickly and consistently.
As part of our ongoing improvements to these APIs, we are announcing the introduction of AUTHMSG, an Alphanumeric Sender ID, for use in 79 countries, which will ...
What is Public Key Cryptography?
From TLS to authentication, “crypto” is used for a lot more than just currencies. In 2018, security should be part of every developer's toolkit and cryptography a fundamental building block for the libraries and tools we use to protect our data and applications. This post will dive into modern cryptography, an overview of how it works, and its everyday use cases — including how Twilio uses public-key crypto in our Authy application and to secure our API.
Let's start with some context and history.
Meet Alice and Bob
Alice and Bob have a history of illicit dealings. We're not really sure what they're up to, but they don't want us, or the ever-curious Eve, to know. Before the internet, Alice and Bob could pass secret messages by encrypting text with an agreed upon cipher. Maybe that was through letter substitution or shifting or other sophisticated methods. They agreed on the method ...
New webhooks and reporting for Twilio Authy (2FA) and Verify (phone verification) APIs
We’ve recently updated Twilio’s market leading set of APIs for account security with reporting and event notification capabilities to give you real time, and detailed data about user verifications, authentications and other important account security events.
Protecting your customer accounts requires constant monitoring of your sign-up, authentication, and recovery processes to look for trends and areas for improvement. The ways in which users interact with your application also need constant review to deliver the most secure yet friction free experience.
Using webhooks for real-time notifications, and running reports against our API will give you valuable insight into your account security workflows. This article will go over two API updates:
Knowing when something happens, as it happens
Let’s start with the webhooks API. There are a range of API interactions that will trigger a webhook event. For example when someone finishes installing the Authy ...
Build Simple SMS Phone Verification with Twilio Verify and Python
Security is at the top of everyone’s mind and phone verification is a super simple way to secure your application. Confidence in your users’ phone numbers decreases fraud and increases reliability of notifications. Let’s take a look at how to verify phone numbers using Python, Flask, and the Twilio Verify API.
What you’ll need
To code along with this post, you’ll need:
- A Twilio account
- An Verify App which you can create in the Twilio console
- Python (I’m using Python 3.6.4, but this will work with Python 2.x too)
- Pip for installing dependencies
Navigate to the Twilio Console and grab your Authy App API Key (found under Settings).
In a new project folder, I named mine
phone_verification, create a config file called
config.pyand add your API Key like so:
AUTHY_API_KEY = 'asdf........................'
requirements.txtfile. This ...
Google Authenticator app support now available in Authy API
Twilio’s market leading two-factor authentication API, Authy, has added support for Google Authenticator and other TOTP-standard apps. This new API update gives customers of our API the ability to accept tokens generated from Authy or any other TOTP compliant application. The enhancement increases the broad scope of options the API currently gives to your end users and allows your developers to continue to rely on the Twilio 2FA API, reducing effort to implement and maintain your 2FA solution.
When a user account is protected with 2FA, the most common method is the entry of a one time passcode (OTP) after they’ve first provided a valid username and password. The user gets the OTP either via SMS, a voice call, or (the most secure option) from a mobile or desktop app. When an app is involved, the passcode is generated using time as a reference, and therefore the method ...
Authy API Configuration has moved to the Twilio Console
Effective immediately, developers looking for the configuration and settings for the Authy API will find them within two new sections of the Twilio Console at twilio.com/console. Our Two-factor Authentication API (Authy) and our Phone Verification API (Verify) can be found in the “Authy” and “Verify” sections of the Twilio Console respectively.
Since Twilio acquired Authy back in 2015, The Authy API has been carefully and deeply integrated to take advantage of Twilio’s systems, scale, and expertise. This has improved the deliverability of 2FA and Phone Verification messages and voice calls, and hardened the reliability of our API infrastructure. Leveraging the Twilio Console as a central place for our customers to manage their account security products is another improvement we’re making in the quality of our offerings. With this change, you can get access to the following new features within the Twilio Console.
- Improved Authy user (authy_id ...