Choosing an Account Security Implementation - Twilio
Register for SIGNAL by 8/31 for $250 off. Register now.

Choosing an Account Security Implementation

Protecting your own application, user accounts and high-value transactions is an absolutely necessary consideration on the modern web. Twilio has you covered - we have two mature APIs, Verify and Authy, which allow you to implement phone verification, two-factor authentication (2FA), passwordless login and in-application authorizations.

Here we'll help clarify the differences, and help you decide where to implement each one or to build something custom.

Quick Account Security Selection Guide

If you've got one of these security questions, we'll help you get where you need quickly.

  • Are you looking to verify a user's phone during new account registration?
    For temporary or one-time user relationships, Twilio Verify is best used as a high-confidence check that a new user has the phone they claim to have in their possession.

  • Are you planning to regularly validate that a user is who they say they are? 
    For continuing relationships with customers, Twilio Authy is the best option. It is commonly employed to protect user logins and for in-application authorizations.

  • Would you like multiple forms of authentication factors or an SMS only solution?
    The Twilio Authy API supports mobile and desktop authenticator apps with the Authy app or our SDK, allowing you to add higher security channels such as soft tokens (Time-Based One Time Passwords/TOTP) and push authentications. The Twilio Verify API only supports voice and SMS One Time Passwords (OTP). Verify and Authy both come preconfigured for global usage including phone numbers, alphanumeric IDs, and short codes where applicable. If you choose to roll-your-own authentication with Programmable SMS you'll have to manage the complexity and scalability yourself.
  • Are your users all located in a few similar countries or are they dispersed worldwide? 
    For many countries with disparate messaging requirements and routing setups, you should use Twilio Verify or Twilio Authy. Twilio will maintain the required short and long codes, alphanumerics, carrier relationships, and capacity monitoring to minimize the complexity on your side. Twilio has also localized Verify and Authy SMS and voice messages for several dozen languages.

    For applications only serving one to a few countries, you can build a custom implementation with Programmable SMS and Programmable Voice. However, even in limited geographies you will need to purchase, configure and manage multiple phone numbers and likely need to buy and setup a short code.

  • Are you looking for the easiest to integrate solution or are you looking to build custom? 
    The Twilio Authy and Twilio Verify APIs are very easy to implement, either using our extensively documented APIs or through our helper libraries. Twilio will automatically handle the localization support and locale specific requirements (as discussed above) to maintain high message deliverability per country.

    If you are prepared to develop, monitor, and support all aspects of SMS and voice verification and authentication, our Programmable Voice API and Programmable SMS API allow you to build your own fully customizable solution from the ground up. 

  • Do you need additional guidance to decide?
    Get in touch with Sales, we have technical architects ready to talk through your unique needs and suggest possible solutions.

Phone Verification

Phone Verification is a very-high confidence check that a user has a device in his or her possession. Using either the Voice or SMS channel, Twilio Verify will generate and deliver a One-Time Password (OTP) to the new user. You'll prompt the user for the generated password then validate it with Twilio Verify.

This account verification is best used for a single-time verification, as there is no associated user ID or transaction history. Most commonly, we see applications employ Phone Verification for user registration and occasional one-time events such as app downloads or infrequent transactions.

Requiring a phone number for sign-up can reduce fraud and registration spam, and also prevents malicious users from registering an account using someone else's phone number.

Two-factor Authentication

Two-factor Authentication adds a second factor of authentication to your application, with instant support for voice and SMS channels as well as authentication with the Authy app and Authenticator SDK. With the Authy app or the SDK, your users can use soft tokens (TOTP) or receive your push authentication requests, while all users can receive SMS and voice requests.

Twilio's Authy is best used in an ongoing relationship with your users. You choose when to authenticate a user: perhaps you'll authorize log-ins, approve password and account changes, protect high-risk events, or confirm valuable transactions to keep your users safe and reduce fraud.

Combining our Authy API with the Authy app or Authenticator SDK and using push authentication is very secure and convenient for your users. When using push authentication, the mobile app will open directly to the requesting service and present 'Approve' and 'Deny' options. With push, authentication with your app will be intuitive and frictionless for your users.

Custom Two-factor Authentication over Voice or SMS

Still don't see the exact implementation you need? Twilio's Programmable Voice and Programmable SMS are viable options to roll your own security solution.

Take advantage of our high-delivery rates, extensive international support, and many options to build the exact authentication system you require for your site. 

Still Need Help With Account Security Options?

Not to worry - talk to Twilio Sales and we can help you pick the right assortment of account security products and services you'll need for your application's security implementation.

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.