Back to Blog

App Security: To Build or To Buy? – Part 3: Get Total Control Over 2FA Implementation

2017-01-16_1321

This is the third article in the 3-part series: App Security: To Build or To Buy?

While it might seem easy to add 2FA to your application, operating it long term is not trivial. There are a lot more aspects to a successful and easy to use 2FA solution than just implementing the OTP standard in your login. Delivery of tokens, managing multiple vendors (SMS, voice, push notification network) and handling end user support can amount to significant time and cost.

The Final Puzzle Piece

The final piece in the puzzle of building your own 2FA solution is securing the whole implementation. First, you must securely create the 2FA authentication software. Then you need to ensure it’s correctly implemented. The entire 2FA lifecycle management includes implementing process around the credential generation, issuance, expiry, revocation, emergency access, retries, and lockouts, etc. While 2FA is about improving the security to your application, your app is at risk if the 2FA service itself has a vulnerability. Making sure your 2FA code, the service, support processes, and end user practices are secure is critical.

Do you ensure the 2FA logic in your application is well secured? Do your developers have the knowledge to keep it up to date based on newly found methods of attacking 2FA or security vulnerabilities in general?

Starting From Scratch

If you decide to build your own from scratch, you will end up heavily involved in cryptography. From the generation of the TOTP tokens to validating them, to securing storage of the keys and implementing public/private key mechanisms to secure server to client push notifications. This can be a hornet’s nest of complexity and, without expert knowledge, often a really bad idea.

This brings us to the next problem with building your own 2FA service. For many hackers, targeting the 2FA service itself is a common way to gain illegitimate access to an app. Poorly designed or configured 2FA solutions can easily be circumvented by attacking the 2FA reset process. There are also methods of capturing the 2FA token by phishing.

Eliminate The Risk

Clearly, the investment and risk in building your own 2FA are significant. That’s why Authy was created. Authy is a cloud-based API and service that removes the complexity and effort in adding 2FA to your application. Because it is an API, it gives you total control over how and when to implement 2FA into your application. Yes, that does mean you are still writing code, but the difference is that the amount of code is significantly reduced, in some cases from hundreds of lines of code to a small handful. Authy hosts all the complexity in a cloud service with constant security testing and monitoring. We handle the SMS delivery via multiple providers, and we also have voice and push notification. Our global team is dedicated to the production, maintenance, and security of the 2FA service, our clients, SDKs and code libraries. And because our API is so streamlined, our customers find their developers can integrate Authy into their application in no time.

Companies large and small have chosen Authy to strengthen the security of their platforms and applications. And because the complexity of 2FA is abstracted away from our customer’s integrations, we can make service improvements without and changes to the customer code.

Not only is our API very easy to use, but we’ve also built the best-loved 2FA smartphone app on the market. Users love that it can backup all user accounts and allow them to be used across multiple devices. And if a user loses or changes a phone, no worries, they just restore their tokens on another device.

PC Magazine Rates Authy As Excellent

It’s no wonder that our end user application has earned the highest ratings from both the Apple and Google app stores, and an “Excellent” rating from PC Magazine. With over 3 million users having downloaded our free app on mobile devices and desktops for use with Google, Microsoft, Amazon, Twitch, Twitter, Facebook and hundreds of other services, your users probably already have Authy.

And if you already have a smartphone app, you’ll appreciate that our SDK lets you embed all Authy functionality directly into your existing application with the minimum of development!

Get Our Free White Paper

Learn more about avoiding the pitfalls of developing your own 2FA:  Why You Can Buy Your Application Security And The Build With It

Read the other three articles in this series:

 

 

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.

We can text you a link to get started:

Close