Jeff Lawson, Co-Founder, CEO, and Chairman
In recent years, there has been a massive increase in the number of websites losing their users’ personal data. And as cybercrime gets more sophisticated, companies find their old security systems unable to match modern threats and attacks. Organizations of all sizes—global companies, small businesses, start-ups, and even non-profits—can suffer severe financial and reputational loss. For consumers, the after-effects of a targeted hack or identity theft can be devastating. Stolen credentials are used to exploit fake credit cards and fund shopping sprees, which can damage the victim’s credit rating. And entire bank and cryptocurrency accounts can be drained overnight. Clearly, online sites and apps must offer tighter security. And, whenever possible, consumers should build the habit of protecting themselves with something that’s stronger than just a password. For many, that extra level of security is two-factor authentication (2FA).
“We call this ‘inherited trust,’ where an already trusted device can extend this trust to another device. This means that you can authorize any other device to access your accounts, and the new device can further extend trust to other devices”
Simply put, 2FA is an extra layer of security that ensures that the person trying to gain access to an online account is who they say they are. In a traditional 2FA, a user will enter their username and a password. Then, instead of immediately gaining access, they will be required to provide another piece of information. This second factor could come from something they know, something they have, or something they are. With 2FA, a potential compromise of just one of these factors will prevent the account from being opened. So, even if a password is stolen or the phone linked to an account is lost, the chances of someone else having the second-factor information is highly unlikely. Looking at it from another angle, if a consumer uses 2FA correctly, websites and apps can be more confident of the user’s identity, and unlock the account.
That’s where Twillio comes in. Through its 2FA-based solution Authy, the company delivers a robust API and app that helps clients secure users and future proof their business.
Think 2FA. Think Authy.
Twillio had entered the 2FA space back in 2015 when it acquired Authy, a Y Combinator-backed startup that offered two-factor authentication services to end users, developers and enterprises. Authy said that about 6,000 sites currently use its service to protect their users. These include Coinbase, MercadoLibre and CloudFlare.
The service recently raised a major funding round and brought on Marc Boroditsky, an experienced entrepreneur and the former vice president of Identity and Access at Oracle, as the company’s president and COO.
Over the past few years, Twilio has powered components of the authentication and verification experience for brands like Intuit, Box and GitHub. In doing so, we saw several common heavy-lifting processes that each customer had to build independently
As Authy founder Daniel Palacio mentioned at the time, the company was going to use that funding to make a push into the enterprise space. This in addition to the fact that communication services and strong authentication go well together, made the matchup between the two companies a reality. Twilio CEO, Jeff Lawson mentioned that the entire Authy team would join his company effective immediately. Palacio was to lead Twilio’s product and engineering team for authentication solutions and Boroditsky became Twilio’s general manager for authentication solutions. He stated, “Over the past few years, Twilio has powered components of the authentication and verification experience for brands like Intuit, Box and GitHub. In doing so, we saw several common heavy-lifting processes that each customer had to build independently.”
Today, Authy delivers the best combination of compatibility, usability, security, and reliability. To use Authy, the user has to log into an online account with two-factor authentication enabled. The site first asks for a username and password, and then asks for a code. Even if someone gets a hold of the username and password, they still can’t log into an account without the code. This code, which is time-sensitive, can come to the user via SMS, or it can be generated by a two-factor authentication app, such as Authy, on the phone. When users open Authy they see a grid with large icons that makes it easy to find the account they are looking for, and copy the security token.
Delivering Inherited Trust
Compared to other authentication apps, Authy is also available on more platforms, including iOS, Android, Windows, Mac, and Chrome, and it features PIN and biometric protection for the app.
Unlike most other two-factor authentication apps, Authy includes a secure cloud backup option, which makes it easier to use on multiple devices and makes user’s tokens simple to restore if they lose or replace their phone.
The fact that the backup is optional lets the users decide what, if any, security risks they are willing to take in favor of usability.
Additionally, one of the other features that sets Authy apart from other authentication services is that users can sync up many devices, so if a device is lost or stolen, they won’t lose access to all Authy-protected accounts. The Authy feature that makes this possible is called “Multi-Device.” When users first install the Authy app on a device, such as mobile phone, they need to install it again on another device, such as a tablet or desktop, as a backup. When they install, SMS/voice can be used to authenticate the new device, or they can use the existing device. In some instances, users might find that SMS/ voice is disabled and must, therefore, use other devices for the approval— as is the case with a cryptocurrency vendor such as Coinbase or Gemini. “We call this ‘inherited trust,’ where an already trusted device can extend this trust to another device. This means that you can authorize any other device to access your accounts, and the new device can further extend trust to other devices,” says Lawson.
Authy is then accessible on all devices that the user has authorized, and can enable as many devices as they desire. But after installing the Authy app on more than one device, they should disable Multi-Device, since having a single device means will reduce the attack surface area. When users have multiple devices, they have multiple surfaces that can be prone to attack. But with MultiDevice disabled, no one can hack into their account and add a rogue device, even if they’ve deviously and illegally tapped into devices to access SMS or voice calls.
The Future Looks Bright
Through Authy, Twilio has indeed carved a unique niche in the 2FA space. Over the past year, Twilio has been adding new services to its platform to boost its average revenues per customer. To this extent, it launched the Twilio Enterprise Plan, which offers security, access management, and administration tools for large organizations.
If Twilio develops or acquires more cybersecurity assets for that platform, it could evolve into a full-featured cybersecurity company that encrypts all the data delivered across its protected mobile apps. That move would certainly lock in more customers and widen its moat against rivals like Vonage. In many ways, Twilio resembles a young Salesforce. This is why the company recently hired former Salesforce COO George Hu as its new COO. With Hu on board, Twilio can start diversifying its business with additional cloud-based services. For example, Salesforce expanded inorganically to diversify its core CRM (customer relationship management) business into four main segments—its Sales Cloud, Service Cloud, Marketing Cloud, and Salesforce Platform.