Back to Blog

Authy Does FinTech

security lock on credit cards with computer keyboard – credit card data security

Recently I had the opportunity to jet westward to attend the FinDevr conference in San Francisco, a great excuse for what is basically two days of geeking out with other financial technology (fintech) folk. What I like about FinDEVr is that it’s not just about networking with like-minded  developers in the financial, banking & payments industries. It’s about actual content, and lots of it. With over 70 companies presenting their latest tools, platforms, APIs, and case studies, the nearly 500 technologists who attended could build their own track and customize their days according to what they find most valuable and interesting.

A solutions builder like me loves going to these kinds of things.

But they’re even better when I get to present something I’m passionate about. And I’m passionate about solving problems with code.

This Brings Me To Authy.

DanAtFinDevR2015Or, I should say, Authy brings me to FinDEVr. I’ve been at Authy for less than a year now and have had many opportunities to talk with individual customers about their use cases and their ideas. But when I get in front of a sea of developers, the solutions builder in me comes out. FinDEVr gave me 20 minutes to talk about Authy, I decided to jump in and show with live coding how to add a comprehensive two-factor solution to a website with Authy.

Since you’re reading this blog, you’re probably well aware that Authy is all about cyber-security. Specifically, we develop authentication tools to allow online businesses keep their users secure, and to keep users from being hacked.

Authy has three main styles of two-factor authentication (2FA), which all work together to deliver a comprehensive two-factor solution allowing your website or digital service the ability to provide users with the right solution for the right time, depending on the devices the user uses most. Sending a push notification to a user’s device provides the best user experience, which translates to happy users, but it requires a smart device; if the user doesn’t have one, or hasn’t downloaded the app, they can still have an SMS code delivered to their phone. In this way, Authy is super flexible.

At FinDEVr I showcased these three styles of 2FA and showed how simple it is to use Authy API to integrate two-factor authentication into any service. You can view my presentation of how the code works at the bottom of this post. But let’s touch briefly on each product:

Authy OneTouch is our latest, easiest and most secure, as it allows a user to approve a second-factor verification simply by a quick touch on the screen of their device. Touch once and authentication is complete. And since there are no codes to enter, it’s not susceptible to phishing or man-in-the-middle attacks. It’s that easy.

  • Authy sends the user a push notification with helpful details
  • The user touches Accept or Deny
  • The user is allowed access to your site or app, or the transaction is processed

Our foundational service is Authy SoftToken. It’s a standards-based One Time Passcode (OTP) process and it’s the only Authy solution that works offline. If you’re familiar with Google Authenticator, you’ll notice the similarities. You’ll be pleased to know that Authy SoftToken, our top-rated 2FA application, offers a significantly better user experience. This translates to better user acceptance (and getting users to adopt and use a verification solution is the biggest hurdle, isn’t it?). In turn, happier users have fewer issues, ultimately eliminating high support costs for you. By having it all securely backed up to the cloud, users are protected when they lose or misplace their devices, which they do a lot! Here’s how it works:

  • Authy displays a seven-digit code (we call this a token)
  • The user enters the code on your site or app
  • If users run out of time, they can simply use the next token Authy generates. A new one is produced and delivered to the user every 20 seconds.
  • The user is allowed access to your site or app

To complete the 2FA trifecta is Authy OneCode. Authy OneCode allows your two-factor offering to fall back seamlessly to a broader solution that simply requires the user to have a registered phone number. Let’s imagine that your customer doesn’t have the Authy app or doesn’t own a smartphone. They can still access your site because Authy will generate and deliver an on-demand one-time verification code via SMS or text-to-speech. All your users have to do is enter the code. And for those with a global user-base, SMS and voice messages can be customized based on your location and language.

  • Authy sends your user a code (SMS or text-to-speech)
  • The user enters the code on your site or app
  • The user is allowed access to your site or app

The Presentation:

Authy 2FA has been tested and used by more than 20,000 developers since 2012. And since no special security know-how is required, we get more and more clients integrating our simple REST API every day. You can get up and running with as little as 10 lines of code. And we provide extensive client libraries for users of PHP, Ruby, Python, Java, Node.js, and more. So it’s easy to make your service more secure, and therefore more appealing, in today’s world of cyber criminality.

Take a look at the presentation video below to see the code in action. Thanks to FinDEVr and the entire fintech community for giving me the opportunity to show off our code. And don’t hesitate to reach out if you have questions. I’m at [email protected].

About the author Dan Killmer

Dan is the Lead Solutions Architect at Authy, and manages the Authy Sales Engineering team. Dan spends a great deal of time listening to customers, and helping them understand how our security products fit their business needs, along with helping customer technical teams succeed. Dan actively participates in identifying and specifying new features, as an outcome of customer and user comments and requirements.

We can text you a link to get started: