Authy Blog

  • Home
  • Website
  • @authy
  • Contact us
  • Nov 6, 2014

    The meteoric rise of Two-Factor Authentication


    This month, we’ve reached a huge milestone: we’ve hit one million (and growing) unique users using Authy for Two-Factor Authentication!

    Back in 2012, when we started Authy we had less than 100 users and unfortunately there weren’t many sites you could use Two-Factor Authentication on. In fact, things were so bad, that the only site I was able to use 2-FA was GMail. It looked as if we were going to be stuck with passwords forever.

    ...

    More...

    Apr 28, 2014

    Introducing Authy for your personal computer


    Authy lets you use "something you know" paired with "something you have" to log in securely into your accounts using two-factor authentication. Up until now, however, what you "have" was either your cellphone, your smartphone or your tablet.

    But now, with our goal in mind to provide secure and seamless two-factor authentication to users everywhere, we are excited to announce the Authy App for PCs ...

    More...

    April 10, 2014

    What Heartbleed means for Two-Factor Authentication


    Last Monday, heartbleed, which is perhaps the worst vulnerability in recent history, was disclosed. The vulnerability was present in OpenSSL for 2 years (since March 2012) and it was discovered by two independent security researchers at the same time, so it's very likely that it was already known and exploited by other parties for a long time.

    Technically speaking, the bug allows anyone to remotely read ...

    More...

    Feb 6, 2014

    Do not use your Google Voice number for Two-Factor Authentication.


    This is a quick alert. Over the past few months we've seen a large amount of accounts being compromised on several of our clients sites. All of them had Two-Factor Authentication. How were they hacked then?

    Simple. First the attacker compromises the user e-mail. The email is compromised mostly via phishing or by stealing the cookie using a malicious browser extension. Because Google uses the same cookie/account for all of their products the attacker can also access voice.google.com. Here, the ...

    More...

    Nov 27, 2013

    Our fault-tolerant infrastructure.


    Last week, Lean Stack did a published a great interview were we talked in-depth how we built our infrastructure. Our primary goal when designing our infrastructure was uptime. Other big considerations were security and speed.

    Uptime is usually expressed as a percentage of availibility of your application per year. Our uptime goal was %99.9999 availibility each year. This roughly means we could have a max downtime of 31.5 seconds ...

    More...

    Nov 21, 2013

    Multi Multi-Factor Authentication


    Multi-Factor Authentication, where you present "something you know" paired with "something you have" has been around for decades. Yes it hasn't changed much. What has changed dramatically is what "you have".

    Most of us carry a small powerful computer in our pockets (cellphone), another computer in our bag (laptop) and sometimes even another smaller computer (tablet). Soon we'll be carrying even more computers. Today you can buy a computer for your wrist, such as the pebble watch and even for your head with Google glasses. ...

    More...

    Oct 31, 2013

    Enable Two-Factor Auth on your VPN.


    This past couple of days we've watched in awe how a number of services had been compromised. It all started with some random SPAM messages appearing on several Facebook accounts. Moments later Buffer announced they had been compromised and the hacker was using the keys to send SPAM messages on Facebook and Twitter. Soon after the news ...

    More...

    Sep 17, 2013

    Retiring the BlackBerry Authy App.


    Today we came to the conclusion that is time to retire the BlackBerry Authy App. Although our initial strategy was to support as many platforms as possible, we've come to the conclusion that is better to do less platforms but better.

    Fortunately, the BlackBerry App was used by much less than 1% of the Authy users (around 500). Developing App's for BlackBerry is a painful and complex process, much more so than Android or iPhone and ...

    More...

    September 4, 2013

    How the Authy Two-Factor backups work


    Yesterday Google Authenticator released an update for their iPhone App that wiped users keys when installed. That prompted a lot of users to switch to Authy and use our key backup feature. Immediately some people started raising concerns about our backup feature - but unfortunately most of what their saying is false or incorrect. We want to make sure everyone knows the the real facts.

    First and most importantly: backups are optional and are off by default. ...

    More...

    August 7, 2013

    Thoughts on Twitter's new Two-Factor Authentication.


    Yesterday, Twitter released an update for their Two-Factor Authentication that uses Public Key Cryptography and push notifications. You can read all about it here.

    Although, this approach is not novel and companies have offered this for many years, it probably hasn't been done at the Twitter scale. ...

    More...

    July 31, 2013

    The future of Two-Factor Authentication


    Two-Factor Authentication became mainstream in the past year. People finally realized that passwords alone are not enough and demanded something better. Services responded: Google, Dropbox, Twitter, Linked-in and the majority of big cloud service providers now offer Two-Factor Authentication as an optional security feature.

    But adoption is still low. The majority of people haven't yet adopted Two-Factor Authentication because of ...

    More...

    July 24, 2013

    Non-repudiation and the joy of knowing you've been hacked.


    Non-repudiation in IT security means being able to proof where something comes from or who did what. Although few people talk about it, it's actually an essential part of a lot of technologies we use daily. For example, Apple makes all developers sign their applications before submitting them to the iOS store. That makes it possible for Apple to trace the origin of an App directly to a developer.

    Which brings us to shared accounts. ...

    More...

    April 15, 2013

    How to protect your WordPress site from brute-force attacks


    Last week a large distributed brute-force attack was launched against WordPress Blogs. One of the first to notice the attack was CloudFlare. Not only did they detect the attack they automatically protected your WordPress site if you had an account with them.

    On this blog post we want to give you some details of the attack, what to do if you were compromised and things you can do going forward to protect your site from future ...

    More...

    February 6, 2013

    New Authy Security Issues Page


    As we've grown it's been increasingly important we maintain transparency and security. We want to make it clear and easy for anyone to report security issues to us. Today we're adding our security issues page. It details how we handle security vulnerabilities at Authy Inc and how we can be contacted if you find one.

    Bottom line is:

    1. We will never take any legal or intimidatory actions for reporting security issues to us.

    2. We ...

    More...

    February 5, 2013

    Authy WordPress plugin Vulnerability Resolution


    Last week we released a WordPress Plugin for Authy. A few hours after the launch we were informed by Jon Oberheide from Duo Security that our WordPress plugin contained a vulnerability. Within 10 minutes we were able to confirm the vulnerability and evaluated the security impact. Our determination was that the vulnerability was not critical and we decided not to pull off the plugin from WordPress.

    We also immediately started working ...

    More...

    January 31, 2013

    Protect your WordPress site from attackers in 2 minutes with Authy


    WordPress has made it easy for anyone to create and maintain a great site. It's so powerful that even some of the biggest site's on the web like forbes.com use it.

    Last year we saw millions of passwords stolen when large sites like LinkedIn and Gamigo were compromised. Then we read through the gripping story of wired reporter Mat Honan ...

    More...

    December 13, 2012

    One token to rule them all


    Since we launched Authy one of the most common concerns is that no one wants to install a new app for every Two-Factor Authentication account. We built Authy to create the best Two-Factor Authentication system ever created, so naturally we had to solve that problem. Today we are happy to announce you can now add all your Google Authenticator Tokens into Authy.

    We've made a number of improvements over the Google Authenticator App. ...

    More...

    November 13, 2012

    New website, plans and blog


    We just updated our website, our pricing and our blog.

    First we cleaned up our index page and our demo to make them easier to understand/navigate. But perhaps the biggest change is our new plans and pricing.

    We're committed to build a long-term, self-sustainable company which provides the best two-factor authentication you've ever seen. In order to achieve this, we've monitored usage/costs over the last few months and it was clear ...

    More...

    August 28, 2012

    Add two-factor authentication to your ssh in 30 seconds.


    TL:DR: Jump to the bottom to see the video and install it using:

    Installation.
    
    $ curl 'https://raw.github.com/authy/authy-ssh/master/authy-ssh' -o authy-ssh
    $ sudo bash authy-ssh install /usr/local/bin
    $ sudo /usr/local/bin/authy-ssh enable `whoami` <your-email> <your-country-code> <your-cellphone>
    $ authy-ssh test
    $ sudo service ssh restart
    

    We love SSH here at Authy. We use it for practically everything: git, remote shell’s access, deployment scripts and even pair programming. ...

    More...

    August 2, 2012

    Two-Factor Auth for everyone


    More than a year ago I started working on an Android App to add two-factor authentication to a site I was working on. Since then Authy has changed dramatically to become a full platform that anyone can use to simply add two-factor authentication to their site or app.

    We built Authy for ourselves. We wanted a two-factor authentication solution that would work accross ...

    More...