Twilio's Authy API supports four independent channels: SMS, voice, soft token, and push authentication.
Using our API, you can easily target all four with forward compatible implementations of two-factor authentication. All channels are not created equally - each channel has various strengths and weaknesses. We'll discuss all four here, but you should consult our authentication best practices document or talk to our team for help choosing what'll work best for your unique requirements.
The traditionally implemented second factor of authentication is via SMS. A huge benefit of the SMS channel is that it is clientless - that is, they don't need to install any application (or even pick up the phone) to receive a token. It's also the easiest for some users. There are people without smartphones and won't have the ability to install an application to authenticate.
While the SMS channel is undeniably better than requiring just a user password, there are a number of exploits which we've seen in the wild that degrade the security of the channel. Here are a number of selected links and presentations about these exploits:
We're also dedicated to building additional security on top of our SMS and voice channels. In some regions, we won't allow our SMS messages to be received by carrier online portals. For major carriers, we send out tokens by shortcode with a parameter directing carriers to only deliver to a real handset.
Voice is Twilio's primary backup to SMS for non-smartphone authentication. While SMS delivery rates vary over the globe, Voice is prioritized on carrier networks and gives the greatest reliability. We highly recommend voice for SMS authentication fallback.
Unfortunately, voice is also vulnerable to many similar exploits as the SMS channel. You can choose to challenge a user with a random keypad digit before reading them the token. This ensures there is a live user at the other end of the call and not a voicemail that can be intercepted.
Voice is a highly recommended fallback channel for two-factor authentication, and we've localized it for many languages. The voice channel supports dozens of languages out of the box.
For your users that can download an application for their mobile device or computer, a soft token solution is an excellent choice. Soft tokens are rotating passcodes seeded by an application - and as long as a device's time is synced, they will even work offline.
Soft tokens aren't vulnerable to the same exploits as other two-factor channels. However, they aren't perfect - Soft tokens are vulnerable to phishing attacks, social exploits such as shoulder surfing, and brute force attacks on backup keys. These risks can be, to a degree, ameliorated - be sure to read through our two-factor implementation best practices for more.
Twilio's soft token solution has a number of compelling additional features. The free Authy app automatically counters clock drift and network time synchronization errors by opportunistically refreshing the clock whenever it has network access. To further ease implementation and reduce frustration, soft tokens are valid for +/- 3 minutes of nominal time. The same functionality can also be embedded into your own applications with our Authenticator SDK.
Implementing Twilio's solution for SMS, voice, and soft token requires minimal additional lines of code. And for users that lose a device, the Authy app offers additional backup options outside of one-time-use backup codes.
Push authentications are the best authentication solution for user convenience and security. For users that can download an application for their desktop or computer, authentication can happen through a 'push notification' or message sent to that device, alerting the user that authentication is being requested for some login or action.
Unlike a soft token implementation, a push authentication happens through a separate notification channel which "auto-opens" the approval dialog. There is no need for the user to manually open an app and scroll to find your site - a platform dependent banner or card appears allowing users to accept or decline on the spot.
While push authentications may still be bypassed if a device is lost or stolen, they prevent some potential social attacks such as shoulder surfing. Twilio recommends push as our most secure authentication channel.