Index Template

Posted on

Authy User: Two-Factor Authentication Evangelism in Argentina

Not long ago, Authy was made aware of some very informed blog posts and tweets on topics like identity, two-factor authentication, cybersecurity, content security, and on-prem, cloud, & hybrid infrastructures. What caught our eye is that the tweets were always so helpful, often going much further than typical 2FA and security recommendations you see on Twitter. 

Turns out that the author of those tweets is blogger Pablo Alejandro Fain, an IT professional based out of Argentina who is also an avid Authy advocate. Pablo can be found alerting people about the benefits of our two-factor authentication service simply because he himself is a fan. We asked if he’d tell us more about his experiences with 2FA and he recently took time out of his workday to chat with us.

AUTHY:  First off, what exactly is it that you do?

For the past eight years, I’ve been a Microsoft Certified Solutions Expert in Productivity, which means I work to help others work and collaborate more efficiently. I’m currently in the process of transforming my role to dedicate myself 100% to Information Security. 

And you’re based in Buenos Aires? 

I mostly work remotely, but I also like to go to the Ernst & Young offices here in Buenos Aires office two or three times a week to meet with other people. My team is distributed worldwide, so it’s challenging to meet them in person, but I like to meet people from other teams, and see how I can help them with my knowledge, etc.

Working with a global team can make in-person networking a bit difficult.

It’s true, but I find that Reddit helps me exchange information and experiences with other people with my same interests. And Twitter is a great place to meet colleagues, and to help non-IT people get involved in the privacy and security fields. I truly believe it’s necessary for people to understand the importance of staying protected online.

So you’re kind of a cybersecurity evangelist!

I was always interested in the security field. Every time I talk to a person — no matter if they’re IT or non-IT — I try to see how they protect their online accounts, and what the industry can do better to help them stay secure.

Which poses the question “How do you stay secure, and how did you come across Authy?”

At the time I started with Google Authenticator, 2FA wasn’t mandated by anyone. In fact, only a few online services had 2FA capabilities. However, I recall that I had to switch between Android devices and lost every security token associated with my device. It was then that I started to investigate other options and came across Authy. With Authy, I’ve switched from Android to iOS, then between multiple iOS devices, and never lost a thing.

How long ago did you move from Google Authenticator to become an Authy user?

I’ve been using Authy for about six years now, ever since I discovered Google Auth couldn’t migrate my seeds from one device to another. I use the Authy iOS app in combination with my YubiKey devices. Whenever I associate my primary YubiKey to a service, my golden rule is to also associate a second key (which is kept safe at home) and also Authy.

So you take cybersecurity very seriously. 

I do. And I keep track of the sites and services where each 2FA form is enabled through tags in 1Password. So far, I have 85 accounts protected by Authy 2FA. Here are some of the sites where I have Authy currently enabled:

1Password, Adobe, Amazon, Atlassian, Azure AD, Bitbucket, WordPress, Buffer, Cloudflare, Devolutions, Digital Ocean, Discord, DNS Made Easy, Dropbox, Enom, Evernote, Facebook, Gandi.net, GitHub, GoDaddy, Google Accounts, Hootsuite, Instagram, MailChimp, Mercado Libre, Microsoft Accounts, Namecheap, PayPal, Sendgrid, and WordPress. 

That’s a pretty impressive 2FA list. 

It’s huge, right? Oh, and LinkedIn, too, this is a new one! The list continues and, in addition to those I just mentioned, I have some cloud servers that I use for personal stuff (like hosting my blog, a Unifi cloud controller, and a VPN server) that I also protect with Authy using your API.

Can we ask what Authy security features are your favorite?

Probably the most important is the combination of 2FA Backups and the Multi-Device feature for when I need to switch between and old and a new phone.

Any suggestions on how we can improve Authy two-factor authentication?

Sure. I’d like to be able to upload my own icons for the accounts that are not Authy-enabled, or for those that you don’t provide a custom logo. And personally, I’d like to see better support for the Apple Watch app, which I need to reinstall every time I add or remove an account.

We’ve got some feature improvements in the pipeline that I’m sure you’ll appreciate and your suggestions will certainly be passed to the Authy engineering team. Anything else?

If I can give readers three recommendations, those will be:

  1. Use a password manager.
  2. Secure your accounts with 2FA.
  3. Backup all your stuff.

Good advice. Thanks, Pablo!

Posted on

Why Is The Authy 2FA App Free For Users?

 

Easy to download and often free (or low-cost), mobile apps are an integral part of our daily lives – to play games, get turn-by-turn directions, access news, social networks, weather, and so on. But how are these apps paid for, and why is there no charge to use them? We get the “Why Is Authy free?” question a lot, so let’s dig in:

First, a little bit about Authy two-factor authentication:

At Authy, we’re all about security. We want your online activities — whether it’s basic banking, buying bitcoin, Tweeting, or streaming on Twitch — to be as safe as can be.

Each day, online accounts protected with just a password are vulnerable to threats of data breaches, account takeovers, phishing scams, and identity fraud. That’s why we try to remind people to avoid reusing passwords across sites and to enable two-factor authentication everywhere it’s offered, even if you choose something other than Authy’s 2FA app.

To keep security codes within arm’s reach, most Authy users download the iOS and Android apps. We also have a browser-agnostic desktop app with extra features, like account search and viewing options. And for more convenient, comprehensive protection, we suggest using a combination of Authy apps.

How do free apps make money?

In general, apps make money one of three ways:

  • Freemium apps: Typically free to download. They’ll get you hooked, then coax you with in-app purchases.
  • Ad-based apps: Often free, but paid ads rotate throughout the experience. To bypass the ads, some apps offer to sell you a ‘premium’ membership.
  • Apps that monetize personal data: Read the small print! In exchange for using an app, you may be giving app makers permission to sell key bits of information — like your email address, phone number, friends list, and so on.

Authy is different. So, how is it free?

Authy doesn’t fall into any of the above categories. In a nutshell, Authy is a product of Twilio, a company that makes it easy for businesses to communicate with individuals (and vice versa) by providing developers with access to complete software solutions. These businesses pay for authentications generated by Twilio’s pre-built authentication software, the Authy API. The Authy app is free for end users because, in essence, it’s paid for by businesses working with Twilio to ensure you stay protected.

Basically, a Twilio customer plugs the Authy API into their backend code. Then when you attempt to log into their site, Authy 2FA can then be delivered to your smartphone in the form of a temporary one-time password (TOTP). This unique code, which is only valid for about 30 seconds, must be re-entered into the website for you to gain access.

Your account stays secure. And you don’t pay a cent!

Besides being free, the Authy 2FA app offers these benefits!

  • Multi-device convenience. Authy 2FA tokens automatically sync to any new device you authorize. This way you can use 2FA from a phone, a tablet, or a laptop, and they’re all connected. If a device is lost, stolen, or retired, just deauthorize it.
  • Encrypted backups in the cloud. Lose a phone, and Authy’s cloud-based backups allow access from other devices (as long as you have not disabled the multi-device feature).
  • Works anywhere. 2FA tokens are generated directly on your device. They’re not reliant on wifi or internet access. Great for when you’re flying, or if phone connectivity is spotty.
  • New phone? No problem. Install the Authy app, verify your identity, and Authy security tokens will just re-appear. No need to set up your accounts all over again like you have to do with other 2FA apps.
  • Easy recovery. Lose access? We can easily walk you through the account recovery process to re-install Authy. We take extra precautions to protect your account during the recovery process, so please understand recovery may take more than 24 hrs.
  • Smart Google Authenticator substitute. Authy 2FA tokens will work with any site that prompts you to use Google Authenticator, DUO, or other TOTP-based services. Just follow the ‘enable 2FA’ instructions provided by the site and use Authy instead. Or you can start with our own “how-to” guides.

Some final thoughts about 2FA security:

Even if a site you frequent doesn’t specifically offer Authy 2FA protection, we encourage you to use whatever security service they offer. Any 2FA is better than none at all.

To find out if your favorite site offers two-factor authentication, check out Two Factor Auth. There’s even a built-in tool you can use to tell sites without 2FA to get with the program!

We hope that this post explains a little about how we keep the lights on at the best 2FA out there, without having to charge end-users a single penny.

 

Posted on

Authy User: Protected In Nashville

Authy: So, Mike. Set the stage.

Mike: My name is Mike from Nashville, TennesseeI have a degree in Computer Science and an MBA in accounting. For the past few years, I’ve been a Business Systems Analyst for Smith & Nephew, a global medical technology company with Headquarters in London. I’m a gamer/geek at heart, and I’ve always loved technology and coming up with solutions to technical and business issues. I’m an early adopter as well, so I spend a bit of money on gadgets. My friends all have similar interests and we always compare our setups against each other, from a security and “best tech” standpoint.

What do you spend most of your online time doing?

Online, I spend a lot of time reading Reddit and watching streams on Twitch.TV. Although I personally don’t have time to play games anymore, I enjoy watching others play. This is a substitute for cable, as I haven’t watched cable TV in years.

Tell us your online security story.

I initially used Google Authenticator, however, there were several issues I had with it. For one, I hated keeping backup codes in my wallet. And second, I’m a flash-a-holic on my phone (I’ve always purchased Nexus phones). So whenever I would flash a new ROM on it, I would lose the previous instance of GoogleAuth. Anyhow, my wallet was looking beat-up and I decided to change it out before an upcoming business trip. I started tossing receipts and loose papers kept in my wallet and didn’t think about it too much, and as you can guess, I threw out the slip of paper with my backup codes on it. During my trip, a new update for the Android M preview came out and I flashed it with excitement, not thinking about the repercussions with Google Authenticator. Upon reinstall, it asked for my password (which I remembered) but I did not have access to my backup phone number (I forgot to change my GA backup phone number when I got a new one) or the backup codes, or even the authenticator, to get back in. The account was six years old, so old that I had trouble even remembering the answers to verification questions to prove I was the owner. It failed multiple times. Eventually, I had to suck it up and consider it a loss. I was locked out of my own account, and Google wouldn’t help me. I was enraged and vowed to never use Google Authenticator again.

Is that when you first tried Authy?

Yes, Authy was my first choice because it was hyped on reddit and by my peers, and didn’t involve pesky backup-codes.

What Authy features did you appreciate most?

I like the fact that all my 2FA accounts were stored safely somewhere. It was hailed and praised on the internet. The testimonials and the Authy tweets I saw gave me more confidence that I could trust it. It was also flash friendly. If I changed the OS version on my phone, all I had to do was validate my phone number and everything was reloaded instantly! No need to rescan 2FA codes and start over! I could, essentially, keep the same token, which was a huge plus. The primary pain point from GoogleAuth was gone, and then Twitch partnered with Authy for a 2FA solution! Because of my familiarity with Twitch, it was a match made in heaven.

But then we lost you. What happened?

I wanted to be in control of everything locally on Google Drive without relying on third-party servers I had no control of. What if Authy servers went offline or suddenly became unavailable? What if they got hacked? All these scenarios ran through my head and I started having doubts that I made the right decision.

Which security provider did you switch to?

I chose to go with Authenticator Plus. The appeal to me was that you could store the database on your own Google Drive, without relying on third-party servers. Before switching, I spotted a tweet by @jcase about trying out Authenticator Plus, and since he’s a well-known tech and security enthusiast, I figured I could trust him. After I left Authy I tweeted about the switch and @Authy said they’d welcome me back upon my return. Little did I know what this would mean at the time.

And eventually, you did return. What prompted that?

I was with Authenticator Plus for several weeks, and the primary reason why I returned to Authy was that I had updated to the Android N preview for the new OS being released by Google. Some of the libraries that Authenticator Plus relies on failed and hadn’t been updated, so as a result, I couldn’t access any of my accounts. I had to email support and they confirmed that nothing could be done until either Google made the changes in an updated preview, or the official release came out. Since I use my 2FA accounts multiple times a week, this was NOT an option. So once again, I was locked out of my accounts and had to re-scan and reset all my 2FA tokens again. I was still following Authy tweets in security-related news, noticed the one about Authy’s uptime, and decided to use Authy again. I currently use it for a number of accounts.  

Happy?

When I announced on Twitter that “came back home,” @Authy welcomed me back with opened arms. So, if it works, why switch?

How can we improve your Authy experience?

How about a nice web interface to all access codes when you don’t want to take your phone out. Or notifications when anyone attempts to log-in using your phone number. Plus it would be great if you could work with more banks. Seems like most use SMS and it would be nice to have one solution for all.

Thanks, Mike from Nashville. It was a pleasure to get to know you a bit better.

That is why I came back to Authy.

Posted on

What does a 618% jump in 2FA say about internet security?

Photo by Marvin Meyer on Unsplash

Photo by Marvin Meyer on Unsplash

While 2FA is being implemented more often and users are more frequently protecting their accounts, we need to see these numbers double or triple what we see today for us to be confident that the internet is safer.

The UK, along with Italy, was one of the most active countries for regulatory enforcement of data protection in Europe in 2016; with fines doubling to £3.2 million according to a recent PwC report. Despite this, data breaches have grown by 41% in the UK in 2017 and are still making headlines including the recent Wonga data breach which saw the data of nearly 250,000 UK customers stolen. Globally, 2,889,920,099 user records were exposed in the last 24 months, with sectors ranging from business, education, and government to health and finance all affected. It’s clear that businesses of all shapes urgently need to take steps to improve their security.

Businesses need to act

Data breaches are not slowing down and, while some progress is being made, the onus is on businesses to provide greater security and, importantly, to educate consumers on adequate data protection and the steps the business is taking to secure data. Around 20% of UK consumers said that they don’t trust businesses handling their data, while only a minority of small businesses in the UK have cyber-security risks policies or management in place.

Any business handling sensitive information online should be implementing proactive measures to strengthen their security. Steps they can take range from increasing password security to conducting regular tests and audits on data protection. Two-factor authentication, however, is commonly considered the most reliable method to ensure adequate data protection.

2FA as the solution

Two-factor authentication bolsters passwords with a second piece of information which typically involves a one-time passcode (OTP) being sent at the time of login via an SMS, voice call or generated within an app. Hackers now need possession of the device that is receiving the code before they can access the account.

Twilio found that some of the most popular security packages for supporting 2FA have seen a 320% increase in downloads over the last 24 months. However, while 2FA is becoming more widespread, not every website has 2FA enabled. A quick look at twofactorauth.org will show that only 50% of the 1,000 most popular websites offer any form of 2FA. In reality, that percentage is likely much lower across the millions of websites on the internet.

2FA technology is also advancing, giving developers more and more ways to secure accounts. The latest incarnation, push authentication, is a vast improvement over sending an SMS with a one-time passcode. Push authentication presents the user with a rich interface that includes details of the application they are logging into and asking them to “Accept” or “Deny” the request. As soon as the user clicks either button, the response is immediate — either quickly logging in the legitimate user or preventing access to a hacker. This new approach is being implemented by the likes of Google, Microsoft, Yahoo, and others.

Such 2FA techniques can be used not only for the initial log-in but also other actions which require protection as well, such as a money transfer or a cryptocurrency withdrawal. This means that even with comprised browsers on laptops, high risk and value transactions can be secured by pushing the authorization off the desktop to a trusted device. It’s important that businesses discourage an over-reliance on passwords among consumers, by directly implementing 2FA into the customer log-in experience.

Consumer awareness of 2FA is on the rise

The good news is that consumers are becoming more aware of security threats, mainly due to a string of hacks reported in recent news. In fact, since 2016, there has been a steady increase in public awareness of 2FA which shows that consumers are looking for a method of security that is more robust than a simple username and password.  To further support this, Twilio found that there has been a 618% increase in users enabling 2FA from 2015 to 2017 via the Authy app, while a rise of 538% in people who have carried out 2FA protected logins over the past two years. Consumers are evidently becoming more security-aware and are open to changes in the way they protect themselves online, with many moving beyond password-only protection.

With 2FA, is the internet becoming safer?

Security features like 2FA protect data even when older security processes fail. Data shows 2FA usage is increasing significantly, which is a good sign online accounts are being better safeguarded. But does this mean the internet is getting any safer? Overall, our analysis of applications shows that while 2FA is being implemented more often and users are more frequently protecting their accounts, we need to see these numbers double or triple over what we see today for us to be confident that the internet is safer. And with user-friendly 2FA options like push notifications, businesses are better positioned than ever before to make the method visible to their users or even better, a mandatory part of the login process.

This article was originally published by SC Media UK.

 

Posted on

Search Your Authy 2FA Tokens on iOS and Android

In the last few weeks, the Authy apps for iOS and Android have been updated to allow for in-app search, so you can easily find the 2FA accounts you’re looking for regardless of how many you’re protecting with Authy.

Providing users with a way to organize their two-factor authentication tokens, whether through a folder system or via a search tool, has been one of our most regularly requested features. And we’re happy to release it just before the New Year when many people put in a little extra effort to organize their digital lives.

This new search functionality brings the Authy apps into line with features in our standalone desktop 2FA app for both macOS and Windows. If you haven’t tried Authy Desktop yet, we think you’ll enjoy it.

Managing feature requests

Authy has an incredibly passionate community of users out there who continue to help us make our two-factor authentication products better, and we sincerely appreciate all the recommendations and feature requests we receive.

As we grow, we find an ever-changing list of priorities on our to-do list, and while we do take every feature request seriously, we apologize for not being able to anticipate exactly when each might be ready for release. For example, we released a recent update for landscape view for tablets without a lot of fanfare, but for those of you who had been waiting for it, it was a big deal. We also spend a significant amount of time on security updates, both in the apps and also in the APIs it uses and these updates are not always visible to you. Feel free to continue to send us requests for improvements you’d like to see.

Please spread the word

Thank you for continuing to use the Authy app, and for sharing it with friends and family who may not be as aware of online security concerns. Remind them that they can quickly download the Authy app (for iOS, Android, or Desktop)  and use it just about anywhere that offers two-factor authentication protection, even on websites or mobile apps that don’t outwardly promote Authy. If a site supports standard TOTP (like Google Authenticator), you can always substitute Authy in the set-up process instead.

And please follow us on LinkedIn, Twitter, and Facebook so that you can be the first to know when new updates are released. As always, if you have any questions, please visit authy.com/help.

Posted on

How Authy uses your personal and device data

If you’ve been paying attention to current headlines, you’ve likely heard about privacy, data sharing, and businesses tracking people via online apps, social networks, and wireless providers. Occasionally we’ll see comments on Twitter that Authy, according to our privacy notice, shares data with third parties. This blog post was written to clarify precisely what we do and do not do with information collected as a result of using the Authy app.

How & Why Data Is Collected & Used

To understand how and why we collect data about users and their devices, let’s look at how the Authy app works. The most common feature enables you to save your Google Authenticator tokens, encrypt them, back them up in our secure cloud service, and then access them via the Authy app on multiple devices. If you only ever use Authy for this purpose, none of your data (device information, IP address, phone number or email) is shared outside of Twilio.

The Authy app is also used in combination with the Authy API, a Twilio cloud service that allows businesses to implement two-factor authentication to protect their customers. We build and distribute the Authy app for free so that API customers — companies like Twitch, Pinterest, Transferwise, Uphold, and Gemini, among others — don’t need to develop their own 2FA apps.

It’s in this scenario, when the Authy app is used in conjunction with the Authy API, some user data is beneficial to the businesses trying to protect your account. Advanced authentication systems leverage a number of signals (e.g., device type, wireless carrier, and IP address) to ensure that incoming authentication attempts are actually coming from legitimate users. For instance, you might create your account on a web browser on a Mac from an IP address associated with AT&T internet services then use the Authy app coming from the same wifi network address on an iPhone. A request then coming from an Android device in China would be flagged as suspicious. The more an application knows about legit users as they log in, the better the protection it can provide. This is especially important with so many illegitimate parties using increasingly inventive approaches to take over online accounts.

Protecting Accounts

Because of this need to protect accounts, we provide data as part of our service to better protect our customers’ users. Information on what we share and how it’s used is detailed in our API documentation. For very high-risk businesses such as financial institutions or cryptocurrency platforms, we also share IP address and more detailed data on the device to help them best protect financial transactions. The decision to share this extra data is made on a per customer basis, and we evaluate the legitimacy of each customer to ensure the data is being used appropriately.

The table below shows examples of some of the data we may provide to high-risk customers, showing different data depending on how the authentication takes place. Note that the location data is based on IP and not GPS tracking.

Examples of Authy data collected

Staying Safe

This blog post is an attempt to be fully transparent about data sharing. We hope it sheds some light on how and why we use some of the information we know about our users: to help secure their digital lives.

As part of Twilio, we take the privacy and security of Authy users very seriously. And we comply strictly with policies like Europe’s GDPR (General Data Protection Regulation). To reiterate, no Authy data is shared with any entity who is not an Authy API customer or part of Twilio’s approved service providers. The only information that is shared is that which actually results in the increased security of user accounts.

The big picture goal of the Authy 2FA app and our two-factor authentication APIs is to better protect users online. Under no circumstances are we sharing or selling your information to other companies for marketing or advertising purposes.

Thanks for reading and stay safe.

Posted on

How Authy 2FA Backups Work

A few years ago Google Authenticator released an update for their iPhone App that wiped users 2FA tokens when installed. That prompted a lot of users to switch to Authy in order to take advantage of our backup feature. We occasionally get questions about this particular feature from both users and developers, so this post will explain how the backup feature works in order to assuage any security or privacy concerns.

I also want to make it really clear that the password used for encrypting your 2FA tokens is NOT stored anywhere in our cloud service. This password you MUST remember. Forget it, and you lose the only way to decrypt your 2FA tokens. With that said, let’s look at how this feature works.

Backups are opt-in!

If you do not enable backups, your accounts will only be stored inside your phone (just like most other 2FA apps). You are not required to sync your keys to Authy in order to use your phone as a second factor. If you don’t need the convenience of backups, no problem — simply keep backups disabled.

Backups are encrypted prior to upload

Let’s set the record straight on how we handle encryption. For your convenience, Authy can store an encrypted copy of your Authenticator accounts in the cloud. The account is encrypted/decrypted inside your phone, so neither Authy or anyone affiliated with Authy have access to your accounts.

To make backups compatible across devices, all Authy iOS, Android, and desktop apps use the same method for encryption/decryption. (Apologies to users if this part of the post gets a bit technical, but developers will get it.)

How the Authy key backups work:

Backups are executed in several steps:

  • We ask you to enter a password. Passwords must be 6 characters long, although we recommend that you aim for at least 8 characters.
  • Your password is then salted and run through a key derivation function called PBKDF2, which stands for Password-Based Key Derivation Function 2.  PBKDF2 is a key stretching algorithm used to hash passwords in such a way that brute-force attacks are less effective. The details of how this is done are quite important:
    • We use a secure hash algorithm that is is one of the strongest hash functions available. It’s a one-way function – it cannot be decrypted back and is one of the strongest hash functions available.
    • We use 1000 rounds. This number will increase as the low range Android phone’s processor power increases.
    • We salt the password before starting the 1000 rounds.
    • The salt is generated using a secure random value.
  • Using the derived key, each authenticator key is encrypted with Advanced Encryption Standard AES-256, in Cipher Block Chaining (CBC) mode along with a different initialization vector (IV) for each account. To make each message unique, an IV must be used in the first block.
    • If any Authenticator keys are 128 bits or less, we pad them using PKCS#5.
  • Only the encrypted result, salt, and IV are sent to Authy. The encryption/decryption key is never transmitted.

Restoring Authy Keys:

If you have a new phone — or are adding a new device — you can restore your Authy keys by following these steps:

  • First install Authy on your new device.
  • Next, use Authy to confirm you are the owner of the original account. You’ll want to use the original phone number and country code you used when initially signing up for Authy.
  • You’ll receive a OneCode notification on another device (SMS or Voice) and will be required to enter that value before your keys sync.  Once your keys have synced, you will have to provide your backup password to decrypt your keys.
  • Note, the Authy keys on this new device use a different TOTP seed value so the codes provided will be different on each device.
  • For Google Authenticator keys, this is unfortunately not the case as the QR codes used to create these initial TOTP factors are the seed values and will be the same across all synced devices.  Yet another reason to leverage Authy as a 2FA provider.

If you take anything away from this blog post, let it be this:

Consistent with standard industry practices, for both initialization or restoration of backup keys, all encryption and decryption happens on your device, not in the cloud.

Posted on

Dear Authy 2FA: A Two-Factor Authentication Love Letter

If ever you receive an email that starts off with “At [NAME OF COMPANY] we take your account security very, very seriously,” you can pretty much prepare yourself for bad news: either a data breach, or a hack, or some other compromise of personal information. Here at Authy, we really understand the importance of account security. We’re well aware that a single line of poorly protected code on a retail website, or just one reused password used to access a blog, online bank, or a presidential campaign, can really ruin someone’s day. It could even likely have financial implications for millions of consumers.

That’s why we’re huge advocates of two-factor authenticationOccasionally, we’ll be tagged in a Facebook post about how easy Authy is to use, or we’ll see a tweet that describes how Authy is preferred protection for a particular site. And we appreciate every one of those accolades. But then we got the note below… Consider it our favorite fan mail yet!

————————————————————————————-

Dear Authy,

I just wanted to tell someone at Authy how much I love this product, and how much I appreciate the work that went into it. It just makes so much sense. It’s intuitive and useful in a way that no other 2FA system is.

I’m thinking in particular of Authy’s ability to make backups and to authorize multiple devices. Who doesn’t have at least two phones these days? And who knows when you’ll be carrying either phone? Who hasn’t had a phone stolen? Everyone has. And when you look into 2FA, these are the first concerns you have. Yet, as far as I can tell, Authy is the only product that truly takes them into account.

I can speak on this with some authority because I recently went down the rabbit hole of trying to implement 2FA on two WordPress sites with miniOrange and then with Duo. I invite anyone who has a couple of weeks to spare and is willing to spend hours upon hours every day reading the online documentation, scouring the support forums, watching videos, and exchanging complex emails with support teams to try to understand and use Duo or miniOrange – and then fail completely.

With miniOrange, I did as much research as a human could do, and I did everything right (as far as I could tell), and it just led to disaster. I ended up in a permanent loop and locked out of both of my WordPress sites. I was so deep into it by that point that I barely understood what I had done, let alone how to back out of it and gain some control. I received long, technical emails from the support staff containing sentences like this one:

“Can you please make sure that the folder /var/lib/php/sessions have sufficient write permissions? You will need to assign the directory with the owner that has the appropriate write permissions.”

I could live to one-hundred and study all that time, and I would still not be unable to understand what that sentence meant. And if miniOrange as a product, required that much effort just to get it to work, how could I trust it to protect anything?

With Duo, I was just left utterly bewildered. I knew in my head what I expected to happen and how things should work, but when I looked for that pattern in Duo, I couldn’t find it. I followed their instructions step-by-step, and it seemed far more complex than it needed to be. I had no idea why I was doing 90% of the things they were telling me to do. It just felt wrong. And what I ended up with was a system that just felt weird. Things didn’t make sense and didn’t match my expectations. For example, I ended up with just one entry on the Duo mobile app for both accounts. I had two fully separate websites. Yet the same button on the Duo app gave me codes to open both of them. As I said, it felt wrong.

And along the way, I looked for the things that I mentioned in my opening paragraph – such as the ability to install the Duo mobile app on two phones. But no matter how I twisted and turned, how much I read, and how much I pestered people in online forums, I could not figure out how to do it. I could see in my head how it should work: open up a Duo account on the web; install the Duo mobile app on my first phone; then scan the QR codes for my various accounts to add them to the app. Final step: download the Duo app to my second phone and authorize it to access my online Duo account. I had one account, right? It just made sense to put it on two phones and have both those devices synced to my account.

It took me a long, long time to figure it out, but apparently, this can’t be done. It’s not how it works. I was so puzzled by that.

And that’s where the amazing (to me) Authy comes in, because that’s exactly how Authy does work: exactly how I imagined that 2FA would work. The language you use on your website to set up Authy and the way that Authy works just makes sense on a human level, and in a way that none of the other products do.

This is a paragraph from the Authy website: 

“With Authy’s multiple-device functionality, your 2FA tokens automatically sync to any new device you authorize. And, if a device is lost, stolen, or retired, you can deauthorize it from any authorized device just as quickly.”

When I read that, it’s like the clouds parted and the sun came shining through. “Exactly!” I thought. “I’ve got two phones, and I want to authorize Authy on both of them and have them synced to my main Authy account. And if one phone is stolen, I want to be able to deauthorize it from my remaining phone.” This is exactly the type of language I was looking for (and expected to find) for Duo and miniOrange, but couldn’t find.

Another hallelujah paragraph from the Authy website: 

“Out of the gate, Authy lets you take advantage of encrypted backups in the cloud. How is this handy? Lose a phone, and you can still access Authy accounts from other devices (as long as you have not disabled the multi-device feature). Get a new phone, and you can install the Authy app, verify your identity, and access all your Authy tokens relatively painlessly when compared to Google’s solution.”

“Exactly!” I thought again. “Of course it works this way. It’s logical.” The real question is why none of the others do.

And I haven’t even mentioned how good Authy looks. Nor have I mentioned the browser extension. It’s just a great product. And I have to say that the industry as a whole doesn’t do you guys any favors. 2FA is a difficult concept to grasp for a newbie like me, and the instructions for setting it up on a Google account, on Facebook, on Microsoft, on Amazon, and on Dropbox can be intimidating.

As you know, all these sites handle it differently, but they all have one thing in common. They try to trick you into believing you have to use Google Authenticator. They hide the reality that you just need an authenticator app, and you have a choice. No one ever offers up the option of using another authenticator, like Authy. And anyone who figures this out and does the research will quickly come to the conclusion that Authy is the way to go.

I don’t know if I’ve ever written a message like this before. Probably not. This message is a result of the absolute horrors that I went through as I tried to master 2FA and come to grips with the mind-boggling complexities of products like Duo and miniOrange, plus the inadequacies of others like Google Authenticator. It’s no joke to say that I was going out of mind.

And then came Authy, a 2FA system that did exactly what I expected it to do, what I thought a 2FA system should do. And it did it better than any of the others. It was such a relief, that I had to let you know.

Thanks for making my life a LOT easier.

Doug (Last name withheld because…privacy)

————————————————————————————-

A point of clarification:

Some, but not all, sites will mention Authy as an authenticator app that can be used for 2FA security. But Doug is correct: most sites will tell you to use Google Authenticator and not let you know that any TOTP-based authentication solution will work. Since Authy and Google are built on the same basic principles, you can use Authy anywhere Google Authenticator is offered. We just made an app that has more options, better benefits, and is easier to use.

We hope you pass this blog post on to others who may not be aware of Authy, and please send us a note if you also have a 2FA story to tell. You may also be interested to read a more in-depth comparison of Authy vs. Google Authenticator.

Posted on

Two-Factor Authentication: Building Blocks For Better Security

With every major data breach, more and more personal information, especially passwords, become available to cybercriminals. Consumer security fatigue mixed with the massive proliferation of online services, such as banking, healthcare, social media, gaming, news, insurance — and the need has never been greater for improved account security. Better protection but without huge friction. Users want to be secure, but they also want easy access to their applications.

There is evidence to support this. In the last 24 months, three billion records were lost online. In 2016, the number of US data breaches tracked an all-time record high of 1,093 and in 2017, the number of breaches rose to 1,579. Many of these end up in the weekly news cycle, which is raising awareness with consumers that they need to better protect themselves online. Two-factor authentication (2FA), an additional layer of security that makes it harder for attackers to gain access to a person’s devices and online accounts, has seen a significant increase in activity in the last year.

While robust measures to prevent customers’ data being compromised is important, businesses must also understand that people want to log into their accounts without hassle.

Getting it right

Adding better account security with 2FA is a vital component to ensuring that your business’ and customers’ information is kept safe. Two of the biggest challenges that businesses face with regards to two-factor authentication are ensuring that their customers are educated on the importance of having it activated, which I will come onto later, and making sure that they are offering the most secure and user-friendly method possible. This brings me first to the discussion of push notifications versus SMS and voice call.

Companies who have implemented any 2FA, traditionally ask people to verify their identity by entering a one-time passcode which is sent to them by SMS or voice call, immediately after the person has entered their username and password. This is often considered cumbersome, as the customer has to leave the application to look at their phone or listen to an automated call. They then have to remember the code and type it into the application.

Aside from SMS and voice passcodes being inconvenient, there have been recent examples where security is also a concern. There are proven ways in which a hacker can intercept a voice call or SMS, and if they already have your username and password, the 2FA step can be defeated. These methods, while not very common, have been used to empty bank accounts and take over high profile social media accounts.

Adding to the poor user experience, users who get a code via SMS but are not logging in, are often left wondering what to do next in order to protect their account. By the time they’ve Googled a support number or found the correct email address for the website being attacked, and made contact with support, their account has likely already been taken over.

The user can get the same code without the security risks of SMS and voice calls by installing a third-party software app on their phone or desktop. This can generate the same 2FA passcode and makes it more secure than SMS/voice, but the whole process still presents users with a less than desirable login experience.

Push authentication

There are better options, however, and this brings me on to push authentications — which is by far and away the most user-friendly and secure form of two-factor authentication. In fact, companies like Yahoo and Google are using push authentications to replace the use of passwords at login time entirely. The process starts with a push notification to a smartphone or desktop application which then launches with a message similar to “someone in Beijing, China on a Windows 10 device is trying to login right now, is it you?” and presents the user with two options. To accept or deny the activity. If the customer says “deny”, the application can stop the hacker immediately without the user needing to contact the bank, or company in question.

Push authentications also enable businesses to provide more information to customers to help them make an informed decision. For example, it might say “you are logging into your bank account on an IP address which is in San Francisco, using a Safari browser on a MacBook Air”, with a map of where the request is coming from. It can also include company branding to reassure the user that they are getting the request from the right source. All of that information helps the user to look at it and say “yeah that’s me logging in on my machine” or “that’s not me logging in from Russia on a Windows laptop.”

SMS & Voice still needed

But while push authentication is the future, I’d like to make the point that we mustn’t disregard SMS and voice calls as viable 2FA options. Firstly, just using 2FA via SMS is a massive improvement in security over username and password alone. The examples of people being able to fool the carriers into sending the SMS and voice calls to another device are still complex and rare. Also, not everyone owns a smartphone through which to download apps and receive push notifications. Finally, SMS is often a great option to fall back on when a push authentication isn’t going to work.

I myself use push authentication at every possible opportunity. However, I travel to countries where I don’t always have an internet connection on my phone to get the request, so instead, being able to fall back to SMS when I need to — is essential for maintaining access to my online applications. Companies must be aware that it is critical that they cater to all consumers and their environment to ensure that everyone has access to better account security. That said, I do believe that push notifications are the most user-friendly and secure form of 2FA currently available and that businesses really need to be including it as part of their offering, so that those who do have a smartphone have the ability to use it.

Access for all

Technology vendors have a responsibility to make the most advanced 2FA technology available to even the smallest of businesses. Twilio, for example, offers advanced two-factor authentication technology to companies which don’t have the budget or manpower to build something from scratch in-house. Not only are these companies able to be more secure and offer seamless customer experience when it comes to 2FA, they also can focus on running their business — while relying on Twilio’s expertise and deep experience in delivering this service to power their backend.

To put this into perspective, I spoke to the founder of data storage company Datto, who said that after they had built their business and secured their unicorn valuation, they calculated that, based on their USD $1 billion valuation, the time the founders spent developing software was valued at nearly USD $24,000 per hour. He also told me that, at the beginning, they built their own content management system which in the end didn’t work and they had to abandon it. That investment was very costly in time and effort, with no valuable return. Based on this, he said if he had to do it again, he wouldn’t build a security product, he would purchase a well-built product at a competitive price which the vendor will maintain.

Online finance is the big target

Offering a robust and secure service is key to all service providers, but none more so than financial technology companies (fintechs). Online account security is about defending yourself against someone who is trying to do you harm by either hacking your online social profile or taking your money. And money is the big one. Money is the primary driver of why people go after an account. Therefore financial services are a big target.

There are a number companies that are really leading the way in this sector and one that stands out is Transferwise. Transferwise uses the Twilio Authenticator SDK which enables it to roll out borderless authentication; something which is particularly important to its user base which often travel across multiple countries and have multiple SIM cards. This means that an authentication message which is bound to a specific geographic phone number isn’t ideal, so they offer 2FA push authentications as an alternative.

A role to play

While there are companies leading the way and consumers becoming increasingly aware of two-factor authentication, there is still a long way to go. We all have a role to play with regards to educating people about the importance of online safety and keeping their personal information protected.

I say it’s a bit like teaching people how to cross the road. We have an obligation to teach our children to stop, look and listen before crossing a road. We have the same obligation to teach our peers, family, and the next generation about how to protect themselves online.

Two-factor authentication is a good starting point. Companies need to educate their customers about the importance of having it activated, and consumers need to be aware of the important role it plays. We live in a world where consumers share more personal information than ever before, and we have an obligation as a society to ensure that this information is kept safe and secure.

This article was originally published in The Australian

Posted on

Is The Internet Getting Safer?

We look at the trends for how websites and consumers deal with the threat of data breaches.

Connecting our human selves to our digital identities is hard. How does your bank know it’s really you behind the browser opening a new account? How does Facebook know the person logging in from a computer in Turkey is you on vacation, and not some cybercriminal?

Since the 1950’s, we’ve been relying on usernames and passwords to make the connection between people and their computers. However, given today’s constant barrage of websites hacked and data stolen, it’s clear we no longer can rely on a simple username and password to keep us safe. How is it that so many companies large and small do not adequately protect our data? Are developers working on improving security in the applications they build? Are we any safer now than we were a few years ago? When data is lost due to a breach, what should users do?

Twilio and npm, two companies with a unique view into the answers, have come together to examine these questions.

npm is the world’s largest software registry, an open source tool that allows anyone to access the building blocks of the internet’s software and publish their work for others to discover, download, and use.

Twilio is a leading cloud communications platform (Authy is a Twilio product). Developers use their APIs to add messaging, voice, and authentication capabilities to their applications. One of the common uses of Twilio is to add two-factor authentication (2FA) to websites and avoid account takeovers when someone’s username and password has been stolen. Twilio also creates Authy, a popular smartphone app used for storing 2FA data. Twilio has insight into the habits and trends of users enabling better security for their online accounts.

We combined data from the past 24 months to look at trends of developers adding security to their applications and users taking advantage of it. We took much of this data to create a downloadable “Is the internet getting safer”?infographic.

Before we tried to understand the trends we see in our own data, we looked at the trends of breaches taking place and the user’s awareness of how to better secure themselves.

Breaches galore

To analyze data breaches, we used data from two sources: idtheftcenter.org and Troy Hunt’s haveibeenpwned.com. Both collect public information on data breaches but in slightly different ways. Troy Hunt collects large databases of exposed identities from around the world, sometimes aggregating up many breaches in one. The non-profit org Identity Theft Resource Center (ITRC), which runs idtheftcenter.org, collects known breaches only from the US but also enumerates breaches on a per-incident basis, whether or not the number of exposed records is known.

Since 2005, the ITRC recorded almost 1.1 billion exposed records from US companies in a total of almost 8200 incidents. In the last 24 months, only 43.9% of disclosed breaches reported how many records were lost, therefore, the actual number is likely to be significantly larger.

In the same 24 months, Troy reported a whopping 2.9 billion globally exposed user records. Going back to 2005, when the ITRC first started tracking, there were 157 reported incidents in the US. In 2017, this total rose 905%, to 1579.

The ITRC also keeps track of what types of business are reporting on breaches. Looking at 2016 and 2017, the following table shows the breakdown of incidents per category. The data covers business and organizations across nearly every industry and sector that consumers use.

ID Theft Center data from https://www.idtheftcenter.org/2017-data-breaches

Consumers want solutions

The news is full of reports of these breaches and of the companies being hacked. Consumers are frequently encouraged to change their passwords, but a survey by Intel in 2016 found that the average person keeps track of 26 separate passwords.

The most reliable method for consumers to secure their online accounts and data is by bolstering passwords with a second piece of information. Commonly called two-factor authentication (2FA), this typically involves a one-time passcode being sent, at time of login, via SMS or a voice call. Even if a hacker had your password, they would also need physical access to your device before emptying your bank account. (For super secure online services like financial institutions, there are concerns over the safety of SMS. Many of these companies prefer app-based 2FA in the form of authenticator apps like Twilio’s Authy).

Unfortunately, not every website has 2FA enabled. A quick look at twofactorauth.org will show that only half of the internet’s 1,000 most popular websites offer any form of 2FA. In reality, for all sites across the web, that percentage is likely much lower. But according to Google Trends, there is a very real demand for understanding 2FA. In the last 24 months, the number of consumers searching for information about 2FA increased 488%.

Developers are taking action

Hackers continue to successfully expose user data, but developers are starting to look for ways to improve the security of their apps and builds. npm analyzed the metadata of every security package on the Registry — a publicly-searchable collection of almost 700,000 modules of reusable JavaScript code accessed by over 12 million developers per week — and uncovered some dramatic trends:

  • Over the last two years, there has been a growing interest in security in general. Downloads of the most popular security packages have increased 548% since January 2016.
  • 2017 saw greatly accelerated interest in security. While monthly download counts of security packages increased 51% between January 2016 and December 2016, the same packages saw a 254% increase in monthly downloads from January 2017 to the present day.
  • Some popular packages for supporting two-factor authentication have also grown in popularity, seeing a 320% increase in downloads over the last 24 months.

That developers are downloading security tools in such volume illustrates a growing pressure to augment applications with better security tooling. The massive increase also may indicate a greater trust in the value and effectiveness of open source security. In order to tackle persistent security problems, developers are learning that the thriving open source community can address vulnerabilities and offer solutions more rapidly than any single developer or team.

The whopping 320% increase in downloads of 2FA packages shows just how rapidly 2FA is becoming a security standard across applications and industries. This is further supported by the increasing download counts of 2FA packages for even less popular frameworks, which illustrates the proliferation in 2FA tools available to developers.

npm’s registry search is used an average of 23,000 times per day by developers; we analyzed search behavior based on packages’ popularity and keywords like “security” and “optimal”. Registry searches for terms like “2FA” and “authentication” have increased 31%, demonstrating a growing interest in 2FA: not only are more 2FA packages being downloaded and included in developers’ projects, but more developers still have expressed interest in adding this type of security to the applications they build.

Users are better protecting themselves

At the other end of the security chain are the users. Twilio’s 2FA authenticator app Authy (available for iOS, Android, Windows, and macOS) allows users to store and back up their 2FA tokens from multiple services in a single app. Consider it a password manager for 2FA data. Twilio also has a range of APIs that allow developers to easily embed 2FA into their applications. This API is used by companies like Twitch, CloudFlare, and SendGrid.

We started by looking at the Twilio 2FA API to track trends for how our customer’s users are enabling and using 2FA. Over the past 24 months, we saw a 538% increase of users logging in with 2FA enabled accounts, but this data only reflects people using the Twilio API to deliver 2FA to their users. We can also look at the Authy app, which is used as a client for the API, and also allows users to scan in 2FA QR Codes for websites that have implemented their own 2FA solution. We saw users scanning in 575% more 2FA codes a month at the end of 2017 compared to the start of 2016.

Progress is being made

What conclusions can we draw from all this data? From an application perspective, it’s clear that data breaches are not slowing down and this is leading developers to look to the open source community for solutions. Data breaches are likely to continue, but tools like 2FA give developers and consumers the ability to secure their data when older security processes fail.

But is the internet getting any safer? Enabling 2FA definitely ensures user accounts are a lot more secure than just using passwords. Our evidence shows 2FA usage is increasing significantly, a sign that our online accounts are better protected. But to truly know if our online lives are becoming safer, we will need to revisit this data next year to see if breach rates slow down and 2FA’s ubiquity grows.

In the meantime, we have a few points of advice for developers trying to better secure their applications.

Our data shows that that 2FA is seeing a significant growth in popularity and that’s a good thing — 2FA is one of the best ways to protect online accounts against takeovers. For 2FA to become mainstream, applications must adopt modern 2FA methods such as push authentication. This would improve the user experience and incline developers to make 2FA mandatory, not just optional, and therefore make strong security a default for all our online accounts.

While we wait for 2FA and better authentication to become the norm, it’s definitely a good idea to sign up to services that monitor if your account data has been exposed. All users should follow these simple steps to better protect themselves online:

Download the infographic

You can download and share our “Is The Internet Getting Safer?” infographic here.

Posted on

Deprecating Authy for WordPress

Starting today, January 12, 2018, the official Authy plugin for WordPress is deprecated, and we are recommending that our Authy WordPress Plugin customers find other 2FA plugins to protect their WordPress sites with two-factor authentication. This does not affect the Authy API and Authy app, which will continue working unchanged for any other sites or plugins that are using them. Only the official Authy WordPress Plugin is changing.

This decision has been a hard one, and a long time coming. It’s been a pleasure working for—and with—the WordPress community and we’ve found incredibly passionate users there who have helped us make our product better. However, as we’ve grown, we haven’t been able to give the plugin the attention that it deserves and we know that our first duty is to make sure that we don’t do anything which would put our customers in danger. Creating and maintaining a great security plugin requires focus. And we just have not been able to give the Authy WordPress Plugin that same level of focus anymore.

Our resources are now entirely dedicated to the Authy API and the Authy app, which have always been at the heart of the plugin. This means that any developer who wants to add 2FA to their website, or even to a plugin, can still use Authy.

Similarly, we hope you and your end-users love using the Authy app, which will continue to be free, and which we are continuously working to improve. You may not be aware that the Authy app works even on websites that don’t use Authy, as long as they support standard TOTP (like Google Authenticator), so you can continue using the Authy app if you’re using Jetpack’s built-in two-factor authentication support.

Thank you for all of your support, if you have any questions, visit authy.com/help.

Posted on

Twitter Updates 2FA. Allows More Control Over SMS!

Great news, Twitter has just made an important update to how its 2FA works. They are allowing users to take control over if SMS is used for 2FA logins to Twitter, and this is a GREAT improvement, well done Twitter.

This tweet, however, is a little misleading. It implies that Twitter has just now made available the ability to use third-party authenticator apps like Authy. In reality, you’ve been able to use Authy two-factor authentication with Twitter for over a year now. What they have changed is the control over SMS being used for 2FA.

As shown in the image above, Twitter users can now PREVENT SMS delivery of login security codes. This is a really significant and long overdue change from Twitter. Many people elect to use the Authy 2FA app instead of getting login codes by text message due to fears over the security of SMS.

Before this change, SMS was a requirement to the configuration of 2FA on Twitter. That meant those who set up TOTP (time-based one-time password) protection because they wished to avoid SMS, were still concerned because SMS remained a valid fallback option at login, therefore negating the security advantages of app-based 2FA. Twitter’s announcement this week allows users to remove SMS as a 2FA option, and rely solely on their Authy app for the 2FA code.

How To Protect Your Tweets With Authy 2FA

So if you have not yet done so, go and set up 2FA on your Twitter account. Note that you still have to complete a phone verification step before you can secure your Twitter account with Authy. But once done, you can then go back and disable SMS.

Be aware that Twitter also uses SMS as a way for you to recover your account if you forget your password. So when disabling SMS, make sure you get and safely store a backup. From Twitter’s Login Verification page, just click on the “Get backup code” button and print the code or write it down, and keep it somewhere safe.

Powered by Twilio

Toggle

Authy Powered by Twilio

Build 2FA into your applications with Twilio APIs.

Learn more

Learn more about 2FA API
Access the Dashboard

We can text you a link to get started:

Close