Two factor authentication (commonly abbreviated 2FA) adds an extra layer of security to your user’s account login by requiring two forms of authentication: something your user knows and something they have.
Two factor authentication is nothing new. When you use your credit card and are prompted for your billing zip code, that’s 2FA in action. Knowledge factors like your zip code may also be passwords or a personal identification number (PIN). Posession factors like your credit card include (but are not limited to) a physical key, fob, and personal cell phones. Two factor authentication for web applications similarly requires something your user knows (their password) and something they have (their personal mobile phone).
The classic authentication approach for web applications requires a user to enter a username and password. However, things like password reuse, poorly encrypted passwords, social hacking, and hacked databases make even a secure password vulnerable. By requiring users to add a second factor to their authentication flow, an account with a compromised password will still be secure.
Mobile phone 2FA has become the industry standard, as most people carry their mobile phones at all times. It’s a user-friendly flow, and dynamically generated passcodes are safe to use and users can receive special tokens through SMS or a dedicated app, such as Twilio’s Authy.
When a user signs up or logs in to your application, a numeric code is sent to their mobile device either via SMS or through an authenticator app. Two benefits of using an authenticator app is that it provides a constantly rotating set of codes your users can use whenever needed, and does not require a cellular or internet connection. Only after the user enters the correct numeric code in your application’s login flow are they authenticated.
There are a wide variety of ways to add two factor authentication to your application. TOTP (Time-based One-Time Password) verification tokens may be sent to your user’s device via SMS, voice call, or authenticator app. By using Twilio and the Authy API, this implementation is greatly simplified and can boil down to just a few lines of code.
Ready to add 2FA to your application with Twilio? Here are some resources to get you started:
Twilio's Authy Documentation
We can't wait to see what you build!