Gemini, a New York-based digital asset exchange that currently supports Bitcoin and Ether, is the first digital asset business to be regulated and secured to the same standards as banks and other financial institutions. With a platform built to provide a secure, frictionless way to buy, sell and store digital assets, Gemini needed an integrated 2FA solution to match. Authy had just the thing.
Gemini serves retail customers and institutional firms looking to trade in digital assets (e.g., Bitcoin and Ether) just as they trade in different foreign currencies, stocks, bonds and debt. Gemini operates like a bank for people with digital assets who don’t want the challenge of securing it themselves.
Gemini’s founders had been long interested in the digital asset market but were put off by massive industry failures, hacking, insider malfeasance, and the fact that many businesses were neither secure nor compliant. One particular red flag was when Mt. Gox, the biggest player in the space, lost hundreds of millions of dollars in value after being breached. Many in the industry thought this incident spelled the end of digital assets altogether.
Where others saw failure, Gemini saw an opportunity. Early Bitcoin businesses were experiments in the same way that most early technology is: iterative and disruptive. The trouble is, most consumers don’t want that kind of approach from a bank. “What the market needed," said Michael Breu, Gemini’s Chief Compliance Officer, "was a super-secure exchange platform that legacy financial institutions would trust with their assets just like they would a custodian or bank.”
Gemini set out to be most secure, compliant digital asset exchange possible. “We wanted to be the platform that had both the licensing and regulatory oversight to give people confidence about digital money," said Michael Breu, "without fear that we would be hacked and lose their funds. We saw a void in the marketplace for a safe, secure and trustworthy bitcoin exchange, so we built one.”
Breu recalled that in 2013, when Gemini was conceived, “soon after we received regulatory approval, we launched Gemini with a security-first mentality. We took our time building a team, building our technology, and building security architecture and compliance program from the ground up, with a diligent and thoughtful approach. We waited until we received regulatory approval from the New York Department of Financial Services to begin operating and accepting customers in October of 2015.”
Gemini has a higher level of compliance and regulatory oversight than other exchanges, many of which are licensed only as money transmitters. “We want our customers to have confidence in the security of our funds,” said Breu. “Unlike many other exchanges, we have regulatory approval and are currently one of the three largest regulated exchanges in the U.S.”
For most enterprises, consequences of a security breach do not threaten the existence of the business in its entirety. In the digital asset world, however, a security failure means the loss of all customer funds and customer trust. It’s very likely the end of the business.
“This is a highest-stakes problem,” said Breu. “We deploy information security resources that include a broad spectrum of security disciplines, and use only reputable third-party partners to provide architecture developed especially for our customers. The most important thing we do is ensure customer account security.”
Significant trading is done via Gemini’s website. Like other online brokerages, users are able to view holdings, portfolios and market conditions, order books, set pricing, and place buy/sell orders. What sets Gemini apart is Twilio’s Authy two-factor authentication (2FA), built right into the entire transactional flow.
Gemini knew they couldn’t rely on just usernames and passwords to protect accounts. The need for two-factor authentication was a given, which led them to investigate various 2FA solutions in the market. They looked at Google Authenticator and other phone- and token-based systems, and even considered using a pure SMS based-system that would simply send a code at time of login. They also evaluated products that provide hard tokens, like RSA SecurID and YubiKey.
Their search eventually led them to Authy.
It’s not just about the service or product you get on day one. Are they still going to be continuously improving their product, moving in the same direction you are? We found a partner like that in Authy.
“We based our decision on the degree to which we could offer security easily to our entire user base,” said Breu. “We knew from the beginning that 2FA was going to be mandatory for our customers. That basically meant we had to eliminate any solution that would cause a lot of customer friction—such as a physical key. Anything that would slow down the process, keep people off the site and create a lot of overhead was not going to work.”
A key differentiator of Authy 2FA was having an actual app on their users’ phones. “When the user gets the code directly from the app it makes it more secure. By having to use a second tool such as the phone, it goes further to keep the accounts safe. If a customer’s computer gets hacked or stolen, we know that they have a second tool to verify authentication,” said Breu.
Gemini implemented 2FA before they publicly launched the company. “It was very straightforward. We wrote to the API seamlessly,” said Breu. “It doesn’t require much in the way of ongoing administrative maintenance on our side. We did not have to think about the operational procedures to make this work, because we knew that the vast majority of customer support functions was inherently solved by Authy. All we had to think about was how to integrate 2FA into our customer sign in workflow and other critical actions throughout the site. Integration was basically a non-issue—we implemented and it worked. It wasn’t one of those painful integrations.”
Gemini requires 2FA at the time of account sign on, and again at any instance when the user is poised to take what Breu calls ‘critical actions,’ such as withdrawing Bitcoin or transferring funds to an external address. “We consider a number of actions in our platform to be critical enough to need additional authentication,” Breu clarified. “We want the 2FA user experience to be as low-friction as possible, because we might ask users to do this multiple times during a session. Our clients appreciate this level of security, but if it’s not user-friendly, it can become annoying and could potentially drive customers away.”
Breu is excited about the newer technologies coming from Twilio, such as Authy OneTouch, a push-notification authentication solution. “Authy’s current platform is very good, but we’re really interested in OneTouch because it will be easier for customers conducting critical actions on the site. They’ll receive a prompt and simply have to tap the phone. Authy OneTouch will allow us to expand authentication without annoying customers or creating friction during a session. OneTouch reduces the amount effort—it doesn’t break the transaction flow, or create opportunity for people to cancel out because they’ve lost tolerance for repetitive authentication.”