Facebook Icon Facebook Icon Twitter Icon Twitter Icon Linkedin Icon Linkedin Icon Blog Icon Blog Icon Checkmark Icon Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Small Checkmark Icon Clock Icon Clock Icon Cloud Icon Cloud Icon Cloud Upload Icon Cloud Upload Icon Compass Icon Compass Icon Medium count 1 Icon Medium count 1 Icon Medium count 2 Icon Medium count 2 Icon Medium count 3 Icon Medium count 3 Icon Medium count 4 Icon Medium count 4 Icon Medium count 5 Icon Medium count 5 Icon Medium count 6 Icon Medium count 6 Icon Medium count 7 Icon Medium count 7 Icon Medium count 8 Icon Medium count 8 Icon Medium count 9 Icon Medium count 9 Icon Medium count 10 Icon Medium count 10 Icon Medium count 11 Icon Medium count 11 Icon Medium count 12 Icon Medium count 12 Icon Medium count 13 Icon Medium count 13 Icon Medium count 14 Icon Medium count 14 Icon Medium count 15 Icon Medium count 15 Icon Device with a checkmark Icon Device with a checkmark Icon Device Icon Device Icon Documentation Icon Documentation Icon Dollar Sign Icon Dollar Sign Icon Extend Icon Extend Icon Eye Icon Eye Icon Gear Icon Gear Icon Globe Icon Globe Icon Graph Icon Graph Icon Guidelines Icon Guidelines Icon Laptop Icon Laptop Icon Layers with checkmark Icon Layers with checkmark Icon Key Icon Key Icon Lock Icon Lock Icon Paper Airplane Icon Paper Airplane Icon Pencil Icon Pencil Icon Phone Icon Phone Icon Reliability Icon Reliability Icon Reset Icon Reset Icon Shield with Checkmark Icon Shield with Checkmark Icon Timer Icon Timer Icon Tools Icon Tools Icon Tutorial Icon Tutorial Icon Upload Icon Upload Icon User with Checkmark Icon User with Checkmark Icon User Icon User Icon Wallet Icon Wallet Icon Case Study Icon Case Study Icon Video Icon Video Icon Webinar Icon Webinar Icon White Paper Icon White Paper Icon

Get Total Control Over 2FA Implementation

2017-01-16_1321This is the third article in the 3-part series: App Security: To Build or To Buy?

While it might seem easy to add 2FA to your application, operating it long term is not trivial. There are a lot more aspects to a successful and easy to use 2FA solution than just implementing the OTP standard in your login. Delivery of tokens, managing multiple vendors (SMS, voice, push notification network) and handling end user support can amount to significant time and cost.

The final piece in the puzzle of building your own 2FA solution is securing the whole implementation. First, you must securely create the 2FA authentication software. Then you need to ensure it’s correctly implemented. The entire 2FA lifecycle management includes implementing process around the credential generation, issuance, expiry, revocation, emergency access, retries, and lockouts, etc. While 2FA is about improving the security to your application, your app is at risk if the 2FA service itself has a vulnerability. Making sure your 2FA code, the service, support processes, and end user practices are secure is critical.

Do you ensure the 2FA logic in your application is well secured? Do your developers have the knowledge to keep it up to date based on newly found methods of attacking 2FA or security vulnerabilities in general?


If you decide to build your own from scratch, you will end up heavily involved in cryptography. From the generation of the TOTP tokens to validating them, to securing storage of the keys and implementing public/private key mechanisms to secure server to client push notifications. This can be a hornet’s nest of complexity and, without expert knowledge, often a really bad idea.

This brings us to the next problem with building your own 2FA service. For many hackers, targeting the 2FA service itself is a common way to gain illegitimate access to an app. Poorly designed or configured 2FA solutions can easily be circumvented by attacking the 2FA reset process. There are also methods of capturing the 2FA token by phishing.


Clearly, the investment and risk in building your own 2FA are significant. That’s why Authy was created. Authy is a cloud-based API and service that removes the complexity and effort in adding 2FA to your application. Because it is an API, it gives you total control over how and when to implement 2FA into your application. Yes, that does mean you are still writing code, but the difference is that the amount of code is significantly reduced, in some cases from hundreds of lines of code to a small handful. Authy hosts all the complexity in a cloud service with constant security testing and monitoring. We handle the SMS delivery via multiple providers, and we also have voice and push notification. Our global team is dedicated to the production, maintenance, and security of the 2FA service, our clients, SDKs and code libraries. And because our API is so streamlined, our customers find their developers can integrate Authy into their application in no time.

Companies large and small have chosen Authy to strengthen the security of their platforms and applications. And because the complexity of 2FA is abstracted away from our customer’s integrations, we can make service improvements without and changes to the customer code.

Not only is our API very easy to use, but we’ve also built the best-loved 2FA smartphone app on the market. Users love that it can backup all user accounts and allow them to be used across multiple devices. And if a user loses or changes a phone, no worries, they just restore their tokens on another device.


It’s no wonder that our end user application has earned the highest ratings from both the Apple and Google app stores, and an “Excellent” rating from PC Magazine. With over 3 million users having downloaded our free app on mobile devices and desktops for use with Google, Microsoft, Amazon, Twitch, Twitter, Facebook and hundreds of other services, your users probably already have Authy.

And if you already have a smartphone app, you’ll appreciate that our SDK lets you embed all Authy functionality directly into your existing application with the minimum of development!

Want more? Read the full whitepaper:  Why You Can Buy Your Application Security And The Build With It

About the author Simon Thorpe

Simon works in the product group at Authy and has over 15 years of experience in the security and identity management space. Working at companies like Oracle, Microsoft and Okta, he has spent a lot of time understanding and architecting solutions to secure all sorts of information. At Authy he works closely with the whole team to deliver a world class solution for developers to build security into their applications.