

Authy (YC W12) launches two-factor auth as a service - danielpal
http://techcrunch.com/2012/08/02/y-combinator-backed-startup-authy-wants-to-help-you-prevent-a-dropbox-style-security-snafu/

======
semenko
Very neat service. The Duo Security team also has a similar product with a lot
of features: <http://www.duosecurity.com/>

They make the X-Ray Android vulnerability scanner (<http://www.xray.io/>)

~~~
rdl
Duo is more mature, but seems to be positioned more as an enterprise
alternative to hardware tokens. They seem to charge per user per month,
somewhere around $2, which would be crazy for someone like Facebook with a
billion users.

------
mehuln
Considering all the security issues these days, this is just awesome.
Democratization of 2-factor security is really needed. Congrats to Daniel and
team!

------
debacle
Doesn't Twilio already offer 90% of this functionality?

> _queue jokes about Microsoft security_

Cue, not queue.

~~~
sjwalter
If you're able to build the solution using Twilio (or anything else), then I'm
pretty sure Authy isn't for you. I think it's clear that their eventual
product is going to be a simple, drop-in that enables two-factor on your mom's
knitting forum.

~~~
gliese1337
I'd think the biggest draw would be not developer ease as much as end-user
ease. This way, an end user with an Authy account would only have to give
their phone number out once, to Authy, or install one app from Authy, and
automatically be able to use two-factor authentication on any site that
supports it. It's like OpenID for the second half of two-factor auth.

~~~
michaelmior
Give your phone number once to Authy and then to every app that wants to use
Authy.

~~~
gliese1337
Why? If that's necessary, Authy is doing it wrong. A client app ought to be
able to request an auth token that Authy sends to the user without ever having
to reveal the user's number to the client app.

------
stcredzero
I want _interaction-free_ TFA in my phone. I want to be able to walk up to a
computer, put in my username and maybe a PIN, and subsequently have _every
website_ log me in because the browser knows my phone is on the same LAN as
the browser or is in NFC or Bluetooth range.

But I would especially want this if the TFA is running on a separate system
from the main CPU in my smartphone, only sharing radio/networking hardware at
most. This wouldn't be foolproof, but if my smartphone OS company can patch
security holes in a timely manner and deliver the patches on-air, then this is
good enough for me.

If Authy can deliver the 2nd factor automatically from my iPhone to my other
devices through Bonjour, I will rave favorably about them to everyone who will
listen.

~~~
drivebyacct2
This is a horrifying prospect. One that you would trust a LAN, two that you
would want any external device to QUERY the credentials and access the creds
of another device.

Horrifying. There are so many better ways of providing zero interaction auth
that is secure: BrowserID, NFC (smartphones that can thus do asymmetric
encryption), the QR experiment Google did.

Even if you just tweaked your idea to do something along the lines of what
Google did... You go to a browser, type gmail.com, enter your email address.
They push an event via GCM and your phone asks if you trust the computer that
just asked for auth. You click "YES". Similar flow, but no where near as
horrifying.

~~~
stcredzero
_> This is a horrifying prospect. One that you would trust a LAN, two that you
would want any external device to QUERY the credentials and access the creds
of another device._

I'm horrified that people jump to such stupid conclusions. There is no need
for one machine to query credentials of the phone or vice versa. The browser
just sends out a signal and the phone can supply the 2nd factor to the server.

------
fsckin
I don't want another token application.

I already have FOUR two-factor-auth apps on my phone, each with multiple
tokens:

Google

RSA

Blizzard

SWTOR

If I can add all the above tokens into your app, I would consider using it.
Otherwise... well, good luck with that.

~~~
danielpal
I hear you. I designed authy so that 1 token would work accross sites for this
same reason.

Unfortunately its not technically possible for us to allow you to install RSA,
Google in our App, as that would mean we would need access to their private
seed, which they don't allow.

~~~
blake8086
Are you sure? <http://en.wikipedia.org/wiki/Google_Authenticator>

~~~
thej
Google Auth is easy to use in any app <https://bitbucket.org/thejeshgn/py2fa>

------
jumby
or you can just implement a google authenticator & HOTP for your own site.
it's open source and a billion libraries exist

~~~
dcu
in the other hand, Authy has few libraries (opensource too), one nice, simple
and easy to use app (0 config), and 1 token for all apps.

------
kirillzubovsky
I think this is really cool. Authy guys are making 2-factor authentication
main stream, which is incredible. I've used them before on some sites and the
process is as easy as you would want it to be. Great job!

------
aresant
Brilliant timing for launch w/the recent DropBox debacle - did the Authy team
push launch to draft on that story?

~~~
klint
No, I was already talking to them about the story. They just lucked out on the
timing.

~~~
aresant
Awesome, love getting the details on these things given my own experiences
w/PR and how timing specific press opportunities can be.

Would make an interesting follow-up to understand how they pitched TC / how
the DropBox timing impacted publication (if at all). Either way thanks for
responding.

------
tpr1m
I wish them luck, since two-factor auth is something which should be
implemented more often.

------
dcu
now that big companies have been hacked, it's the time to start looking for
solutions like Authy to prevent phishing attacks.

------
winry
That logo looks a lot like Shazam's logo.

