Two Factor Authentication (2FA)

Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Two factor authentication (commonly abbreviated 2FA) adds an extra layer of security to your user’s account login by requiring two forms of authentication: something your user knows and something they have.

Examples of Two Factor Authentication

Two factor authentication is nothing new. When you use your credit card and are prompted for your billing zip code, that’s 2FA in action. Knowledge factors like your zip code may also be passwords or a personal identification number (PIN). Posession factors like your credit card include (but are not limited to) a physical key, fob, and personal cell phones. Two factor authentication for web applications similarly requires something your user knows (their password) and something they have (their personal mobile phone).

How Does Two Factor Authentication Keep Your Users Secure?

The classic authentication approach for web applications requires a user to enter a username and password. However, things like password reuse, poorly encrypted passwords, social hacking, and hacked databases make even a secure password vulnerable. By requiring users to add a second factor to their authentication flow, an account with a compromised password will still be secure.

Mobile phone 2FA has become the industry standard, as most people carry their mobile phones at all times. It’s a user-friendly flow, and dynamically generated passcodes are safe to use and users can receive special tokens through SMS or a dedicated app, such as Twilio’s Authy.

How Does Two Factor Authentication Work?

Log a user in with two factor authentication

When a user signs up or logs in to your application, a numeric code is sent to their mobile device either via SMS or through an authenticator app. Two benefits of using an authenticator app is that it provides a constantly rotating set of codes your users can use whenever needed, and does not require a cellular or internet connection. Only after the user enters the correct numeric code in your application’s login flow are they authenticated.

Adding Two Factor Authentication to Your Application

2FA SMS with Authy

There are a wide variety of ways to add two factor authentication to your application. TOTP (Time-based One-Time Password) verification tokens may be sent to your user’s device via SMS, voice call, or authenticator app. By using Twilio and the Authy API, this implementation is greatly simplified and can boil down to just a few lines of code.

Loading Code Sample...
      
      
          
          
          
          
        
      account_verification_flask/views.py

      Verify a User Account with Authy Services

      account_verification_flask/views.py

      Where to Next?

      Ready to add 2FA to your application with Twilio? Here are some resources to get you started:

      Quick and Easy 2FA: Adding Authy to a NodeJS App

      Two Factor Authentication in Rails 4 with Devise, Authy and Puppies

      Account Verification with Authy, Java and Servlets

      Twilio's Authy Documentation

      We can't wait to see what you build!