In response to a security breach, Dropbox promised to add an optional new layer of security known as two factor authentication. If you want to add two factor authentication to your own app but don’t know where to start, you’re in luck: Authy is a Y Combinator backed startup launching today that makes it easy to add optional two factor authentication to your application. You just add some API calls to your app and your users will be able to use their phones as a second layer of authentication.
Two factor authentication means you need something extra besides just a password to access a site or service – something you have, something you know or something you are. Something you have could be a security card or a hardware dongle. Something you are could be proved with biometrics, like a thumb print or retina scan. Something you know could be your mother’s maiden name, a security question or a particular image. In the case of Authy, it’s a combination something users have, their cell phones, and something they know: a number generated by Authy.
Users can get the required number, called a token, from Authy either through SMS or by installing an app. You can find out more about how the process works on the Authy site.
Authy was founded and developed by Daniel Palacio. For the past two years Palacio has been working as a penetration tester – one those people who get paid to spend their days (or nights or both) trying to find ways to break security systems. Before that he worked for Microsoft on the Windows security team (*cue jokes about Microsoft security* – OK, are we done now? Alright, moving on…).
Palacio tells me that he was sick of everything relying on only passwords for authentication. And though he uses a unique password for every site and service he use, he knows he can’t expect everyone on the internet to do the same. “We know we’re not all going to go around with hardware token, we’re not all going to use different passwords for every site,” Palacio says. “So what are we going to do? Two factor is next best thing.”
Authy started as a personal project to add a two factor authentication to another app Palacio was working on, but then he realized that he could make it into a service that anyone could use. He says he was particularly influenced by Twilio, a company that provides an API for adding SMS and voice features into your apps. “We built our API around Twillio, I always loved how you could do SMS in five minutes,” he says.
Like any other form of security, two-factor authentication isn’t perfect. Your phone could be lost or stolen. And if lots of sites all started using Authy, what would happen if it were cracked? I asked Palacio about this and he points out that even if Authy were compromised, a criminal would still need your password to access your sites.
If you get a new phone, you can request a reset number from Authy that can be used to reinstall the app. If you changed numbers as well as phones you can request the reset number be sent to your e-mail address. The service will send a confirmation message to your old number and if it doesn’t hear back in 24 hours, and no one tries to access anything using your old Authy app during that time, you can then change your number in the system and add the app to your new phone.
I’d want to see this reviewed by some security experts before I used it, but it’s a cool idea and could join companies like SendGrid, Twillio and New Relic in this growing category of nearly invisible apps that help developers build better products.