Duo is more mature, but seems to be positioned more as an enterprise alternative to hardware tokens. They seem to charge per user per month, somewhere around $2, which would be crazy for someone like Facebook with a billion users.
Considering all the security issues these days, this is just awesome. Democratization of 2-factor security is really needed. Congrats to Daniel and team!
Awesome, love getting the details on these things given my own experiences w/PR and how timing specific press opportunities can be.
Would make an interesting follow-up to understand how they pitched TC / how the DropBox timing impacted publication (if at all). Either way thanks for responding.
I want interaction-free TFA in my phone. I want to be able to walk up to a computer, put in my username and maybe a PIN, and subsequently have every website log me in because the browser knows my phone is on the same LAN as the browser or is in NFC or Bluetooth range.
But I would especially want this if the TFA is running on a separate system from the main CPU in my smartphone, only sharing radio/networking hardware at most. This wouldn't be foolproof, but if my smartphone OS company can patch security holes in a timely manner and deliver the patches on-air, then this is good enough for me.
If Authy can deliver the 2nd factor automatically from my iPhone to my other devices through Bonjour, I will rave favorably about them to everyone who will listen.
This is a horrifying prospect. One that you would trust a LAN, two that you would want any external device to QUERY the credentials and access the creds of another device.
Horrifying. There are so many better ways of providing zero interaction auth that is secure: BrowserID, NFC (smartphones that can thus do asymmetric encryption), the QR experiment Google did.
Even if you just tweaked your idea to do something along the lines of what Google did... You go to a browser, type gmail.com, enter your email address. They push an event via GCM and your phone asks if you trust the computer that just asked for auth. You click "YES". Similar flow, but no where near as horrifying.
> This is a horrifying prospect. One that you would trust a LAN, two that you would want any external device to QUERY the credentials and access the creds of another device.
I'm horrified that people jump to such stupid conclusions. There is no need for one machine to query credentials of the phone or vice versa. The browser just sends out a signal and the phone can supply the 2nd factor to the server.
If you're able to build the solution using Twilio (or anything else), then I'm pretty sure Authy isn't for you. I think it's clear that their eventual product is going to be a simple, drop-in that enables two-factor on your mom's knitting forum.
Unless my mom's knitting forum also is an online trading platform, why do they need two factor auth? And how likely is it that their software of choice doesn't have a Twilio plugin?
Of course the forum can't control that and neither can your bank, but out of the two, only the bank should care and implement two-factor auth. It doesn't matter if your knitting forum account is hacked into, so two-factor auth is overkill.
Now, sure the password on that knitting forum might be the same as your bank online account. But the point is that only websites where your account is sensitive needs to add two-factor authentication.
I should have phrased my comment above another way: the solution to password re-use is not to add two-factor auth to a knitting forum, but to add it to the bank website, email provider, etc. anywhere your account's safety matters.
(I was thinking more from the point of view of the user: if they start to get worried about their accounts getting hacked, two-factor auth on the forum is not the solution, a password manager is)
I'd think the biggest draw would be not developer ease as much as end-user ease. This way, an end user with an Authy account would only have to give their phone number out once, to Authy, or install one app from Authy, and automatically be able to use two-factor authentication on any site that supports it. It's like OpenID for the second half of two-factor auth.
Totally agree... site specific TFA apps is already starting to get a big silly. Battle.net, Google, my Bank... three is already starting to be a pain to manage and install.
Why? If that's necessary, Authy is doing it wrong. A client app ought to be able to request an auth token that Authy sends to the user without ever having to reveal the user's number to the client app.
I hear you. I designed authy so that 1 token would work accross sites for this same reason.
Unfortunately its not technically possible for us to allow you to install RSA, Google in our App, as that would mean we would need access to their private seed, which they don't allow.
I think this is really cool. Authy guys are making 2-factor authentication main stream, which is incredible. I've used them before on some sites and the process is as easy as you would want it to be. Great job!
you have to use a valid token at least one time(via sms or authy app) to validate your account.
that's explained in the docs: http://docs.authy.com/#section-12
They make the X-Ray Android vulnerability scanner (http://www.xray.io/)