Relying solely on a username and password is utterly inadequate for the safety of your customers. But security software is complex and can be risky to build in-house. Do you develop your own customized solution or do you buy it from a vendor? That’s the challenge facing leading email delivery platform SendGrid—and why they turned to Authy.
Like a lot disruptive tech companies, SendGrid was born out of necessity—in this case, the need for businesses to ensure timely delivery of important emails to customers, without having to manage large email infrastructure or deal with security issues blocking email delivery. As SendGrid product manager Jensen Stava put it, “Security is crucial to email, because email has traditionally been heavily exploited. Spammers and phishers have been around for a very long time.
Today, SendGrid is the leading cloud-based API email delivery service, sending more than 25 billion emails each month for customers like eBay, Uber, Intuit, Costco and airbnb. SendGrid’s email API safeguards the delivery of important transactional emails like receipts and password confirmations, liberating companies from blocked messages due to strict email provider security policies. “When a company’s code sends a message to Yahoo or Gmail emails, a lot of times the message gets dropped because that app assumes its malicious content,” said Stava. “We take the burden off the developer, and allow the server to call our API and ensure that message gets into the inbox.”
Launched in 2009, SendGrid has grown quickly--and quickly outgrew their SMS-based authentication application. “Early on, we built our own 2FA that directly integrated with Twilio. Since then our application has grown and our interface has changed, as have the needs of our customers,” said Stava. “We added new features that required us to evaluate our 2FA from a user perspective. For instance, our initial 2FA was SMS, which posed a big problem when users were outside of cellular connectivity. So that was just one problem we knew we had to solve,” said Stava.
Scaling was another challenge the team faced when they implemented a new feature where users could invite members of their team join their SendGrid account. “Our old 2FA wouldn’t enable this feature, so we had to rip this out and start over. That’s when we started looking at other options.”
Jensen and team took a close look at the costs and resourcing needed to build and continually maintain their own 2FA solution, knowing that they’d probably have to rewrite code in another year as their customer needs continued to grow and change. “We looked at several options including Google Authenticator, Duo, building a token system ourselves, and open source solutions before deciding on Authy,” said Stava.
In the end, it came down to Authy’s expertise, features, and cost models. “We’re asking our users to allow us to be email experts on their behalf. This drove us to go with Authy—they’re the experts in 2FA,” said Stava. “So if we have to change our user experience, we don’t have to recode and rebuild. We know we can do it quickly and easily through Authy. If we have to spend our time focused on managing our 2FA, what will our customers miss out on because we’re not focused on them?”
We send emails on behalf of our users. We rely on Authy 2FA to make sure people accessing SendGrid are who they say they are—we have to be able to secure our users’ accounts so malicious users can’t get in.
“Authy had just launched their push notifications feature, something that was important to us. We knew they would keep that feature up to date, so all we would have to do is periodically update with minimal investment on our side without having to have a developer spend their time becoming an expert to update in-house,” said Stava.
Authy’s flexible pricing structure also aligned with SendGrid’s customer and use models. “It made more sense for us to go with per login customer fees,” said Stava. “Much of our customer interaction happens over the SendGrid API, so some of our users might never login. But we have thousands of signups every day, which means potentially thousands of 2FA transactions every day. We needed a solution that continues to work as we scale, and the cost scales as well.”
“Implementation was fairly easy for our engineers. We spent more time just use-testing it for future changes,” said Stava. “When we were integrating with Authy, it was extremely fast and easy and plug and play, with a little bit of shoe-horning for our use cases because our user model can be fairly complicated, with things like invitations to additional users, with multiple accounts.”
And because Authy uses phone number as identification method, “our users just have one token they use through Authy even though they might have multiple accounts,” said Stava. “This make it a better user experience because they only have one token through Authy, rather than potentially hundreds.”
In terms of additional security, SendGrid is planning to require some users of the service to set up 2FA as part of the registration process, so they can spot potentially malicious users up front. “We do a lot on the backend to protect our user reputation, so requiring users to set up 2FA up front helps protect our reputation too” said Stava.