Authy Blog

  • Home
  • Website
  • @authy
  • Contact us
  • November 20, 2047

    CloudFlare + Authy

    In June we had just finished our Y-Combinator (YC) session, raised our seed round of funding, and were getting back to work on our core product. We had had tested our API internally with some YC companies so we knew we had a fully working product; however, we had yet to land our first initial customers. We were struggling with the classic chicken and egg problem when it comes to selling into an enterprise – if you don’t have any enterprise customers it’s hard to acquire an enterprise customer.

    Then on Saturday, June 2nd, 2012 one of my friends sent me a link to a blog post where Matthew Prince, CloudFlare CEO, explained how a hacker was able to gain access to his Google e-mail account and was then able to to change some of CloudFlare customers DNS settings.

    This was exactly what Authy was built to solve. I knew if he Matthew about Authy, it would be extremely useful for him.

    The problem was I didn't know Matthew and I couldn't find anyone in our network who did. I thought about e-mailing the YC partners to try to find a connection (some of the best help that YC gives you is their immense network); however, I felt that time was of the essence and it was a weekend so I wasn’t sure I would hear back in time. Without any other immediate options available I decided to just send Matthew an e-mail. I had never cold-email someone in my entire life, yet from the post I knew Matthew would understand and appreciate our product (if you read the post you'll notice how open he is about the incident and the fact that he is very familiar with Two-Factor Authentication, which he had enabled for his Google Account). Luckily for us his personal e-mail address had been released by several news outlets as part of their reporting on the compromise of his account. I quickly wrote a simple e-mail and hit send. Here's what I wrote verbatim:

    Hey Matthew, I just read your blog post on the Cloudflare incident. This really sucks, but is not uncommon, usually companies just keep it private, kudos for being this open.

    I am part of the last winter YCombinator class, we designed a Two-factor Authentication Service, exactly for this reasons. You can add two-factor auth to your site in minutes. We've been a bit private - only YC companies - but I thought if you guys are interested I can give you early access.

    We are at:

    Within minutes I had a response back and we chatted a bit more about Authy. To my surprise, the very next day, one of his teammates was trying the API and by Sunday night we scheduled a meeting that week in their office.

    That following week CloudFlare was using Authy internally to protect a variety of of their internal services. The goal was to eventually allow anyone using CloudFlare to be able to protect their accounts using Two-Factor Authentication, but we first needed to make some changes.

    So we partnered with CloudFlare and started working with them on a new version of Authy; one that all of their customers could use. Since then we've made enormous changes to our systems. Most changes are under the hood and are not directly observable, such as adding multi-region redundancy, automated time sync along with a slew of other features. What is easily observable is that, as a result of our collaboration, Authy now support multiple branded tokens. This is much more than just adding a logo and some colors. Each new branded account has a different key and a different set of permissions. So for example, if you are using CloudFlare two-factor authentication, you'll obtain a new secret key specific for that account that will only work on CloudFlare.

    We're very happy to be working alongside CloudFlare on securing access to their systems as well as extending two-factor authentication to their customers. We've been using two-factor authentication on CloudFlare for the past month ( uses CloudFlare as a CDN to make it faster) and we love it. We are especially excited about the awesome integration they've done and we think you'll like it too.

    So, if you are using CloudFlare (and you should) or you want to improve your domain security go here, sign-up and give it a go, you won' regret it!