Add next-gen authentication to apps with Authy

Recently acquired by Twilio, Authy makes it easy to send codes to users' mobile phones for that extra measure of log-in security

Add next-gen authentication to apps with Authy

Twilio’s recent acquisition of the Authy authentication platform makes a lot of sense. Authy’s service simplifies adding two-factor authentication to applications, and Twilio’s cloud-hosted telephony service makes it easy to deploy SMS or phone-based authentication channels.

Authy helps enable developers to use TOTP -- an inexact acronym for “time-based one-time password algorithm” -- to manage access to applications and services. Supported by Google, Microsoft, Facebook, LastPass, and a growing number of other companies, TOTP has quickly become a standard tool for adding a second authentication token to any login process.

When a user registers a TOTP client with a server, a key is generated that works in conjunction with a timestamp to create a one-time password using a SHA-1 hash. It’s simple to set up a client, with support for QR codes to configure client applications quickly.

Along with making it easy to add TOTP authentication to a site or service, Authy’s tools simplify the process of adding and managing users. A set of JavaScript libraries form the heart of the offering, with variants for other languages and platforms.

Adding the second factor

You start by adding cellphone and country fields to an existing registration form. Users fill in these fields to register with the Authy service, and the values are stored by Authy, along with user email addresses. Once users are registered, Authy returns an ID that can be stored in your existing database table.

Now you can add the new step to your login process. Once a username and password has been validated, the user is prompted to enter a TOTP code associated with the Authy user ID. A delete API removes users from your application, allowing you to unregister those who no longer access your services.

Authy is not a replacement for your existing user management tools. You’ll still need to keep those usernames and passwords secure, via one-way encryption, a hefty salt, and a solid hash. Adding TOTP to an authentication process only ensures that users are able to access a service if they have an appropriate second device with them, one that’s able to generate the correct authentication code.

The unique identifier for anyone registered with Authy is their phone number. That means a user registered twice with different email addresses but the same phone number has the same Authy ID. That can be a problem when users share a phone; to allow that, you’ll need to ensure that you have a separate primary key for your user IDs.

There’s no need for specific formatting for phone numbers, which is always a problem if you’re building an international service. Numbers can be stored with any common separator -- or with nothing at all.

One key difference between Authy and other TOTP implementations is its fallback options. If a user is registered but isn’t accessing the Authy app on his or her phone (for example, if they’re running an unsupported smartphone OS), there’s the option to send a code via SMS. If a user installs the app, then they’ll need to go to its codes (though there is the option to override this and send a code via SMS). For users without smartphones, Authy can generate a code and deliver it via a phone call -- a convenient option for users who’ve managed to leave their registered device at home.

Authy as an early-warning system

When you work with a service like Authy, you have greater visibility into your users’ actions, and it becomes easier to detect behaviors that might be associated with an attempt to access an account.

Multiple failed logins without a TOTP response on any registered device or number indicate that an account has been partially compromised. If that’s followed by an attempt to change the registered device, then it’s likely that usernames and passwords have been lost, but an attacker doesn’t have access to a registered device, at which point you can lock out the account.

Authy offers the option of using its Phone Verification and Intelligence APIs to give you more control of your users’ phone connections. With the Phone Verification API, you can send a code to a phone number to ensure that a user attempting to log in to your service is on the device that’s been registered -- as well as giving you an additional verification option for a phone number during account setup.

Similarly, the Phone Intelligence API will let you know if a number is a cellular device, a landline, or a VoIP connection. Testing numbers regularly will allow you to check if numbers are being spoofed or if a user’s connection type has changed and they need to alter their authentication options.

An added touch

Authy recently added an alternative to TOTP in its suite called OneTouch, its new mobile authentication option. Designed to take advantage of mobile device ubiquity and built into the Authy app or into its device SDKs, OneTouch is a codeless authentication service. When a user logs into an application or service, a push notification is sent to his or her device. All the user needs to do is accept the notification to access the service -- or deny it and end the connection.

Building OneTouch into an application is similar to working with Authy’s TOTP tools. A REST API handles connections between your app and the cloud authentication service. Users register devices via the same APIs as the TOTP service, simplifying development and transition to new tools.

You can then push an approval request to the user’s device, along with any graphical elements you want to include. Then all you need to do is check for the approval status of the request and, when approved, give the user access to your application. Authy now also gives you the option of implementing cryptographically signed callbacks, reducing the risk of false inputs from man-in-the-middle attacks.

Two-factor authentication isn’t your only option for securing applications, but with standards like TOTP and services like Authy’s, it’s one of the easiest to deploy -- adding teeth to common authentication design patterns. Automating it via push in the new OneTouch service also makes it a lot more user-friendly, reducing complexity and letting users accept and access it on a regular basis more easily. The more it’s used, the more secure your applications are going to be.

Copyright © 2015 IDG Communications, Inc.

How to choose a low-code development platform