Questions about the Twilio Authy API

Question

We currently have a solution where we implement 2FA ourselves over Twilio Programmable SMS. We're also using Twilio Verify for Payment PSD2 authorization. We're now looking to migrate everything to Authy to make use of the Authy app and I have the following questions that I'm hoping you can help me with.

1. User Migration. I understand in authy, users need to be registered to our application. How can I register all our current users? Is there any way to bulk upload them, or do I have to write a script that calls the API to register them one by one?
2. User Number phone update. Sometimes our users will update their phone or email in our system. If that happens, how do I update that info in Authy? I couldn't find anything in the docs about that. Do I need to call the api to remove the user and readd with the new info?
3. Migrating from Verify PSD2 to Authy PSD2. Is the implementation very different? Is there any sample I can look through, as the documentation seems to mainly be talking about QR codes, while what we want to do, is to send it over SMS or Authy depending on the user's choice. Thanks for your help Sam

Answer 1

Twilio developer evangelist here.

1. You will need to write a script to register your users. When you have registered a user, you will receive an authy_id for the user, which you will need to store with your user record.

2. If a user updates their phone number then you should update the Authy user. To do so, you will want to delete the old user and re-register with the new phone number. You will then receive a new authy_id and you should re-confirm the user can authenticate by challenging them for a new code before you complete the update. If the user updates their email then you can do the same process of deleting and creating a new user though you should receive the same authy_id back if the phone number hasn't changed (though this will add the email address to Authy's representation of the user).

3. Check the documentation on PSD2 compliant authentication with Authy here . If you are sending SMS messages, then you should set the action and action_message parameters, which tie the message to the authentication. For the app based authentications you can do it via Push Notifications (in which you can include transaction details in the push). If you don't want to implement push, then you do need to get your user to scan a QR code in order to tie the transaction to the authentication (the regular code generated by the app is not connected to a transaction, so is ineligible for PSD2 authentication).

Let me know if this helps at all.