When the UK’s Government Digital Service (GDS) team needed to bolster their blog security, they turned to London agency dxw to help them out. dxw set about building a two-factor authentication plugin – and looked to Twilio to handle the 2FA SMS delivery.
The award-winning GOV.UK website provides information for the public on thousands of topics. The site is also home to 77 blogs from different departments – part of the government’s new, more open approach to digital communication. But it’s an approach that brings some challenges.
GDS cannot risk having unauthorised users logging in and posting potentially damaging messages on government blogs. With this in mind, the GDS team approached dxw to improve blog security through a two-factor authentication (2FA) plugin.
“Suddenly you have this very active government blog, which is a big part of how the government now talks to users,” says dxw Delivery Manager, Will Reddin. “Yet, the blogs just relied on a simple login for admins.” GDS also work in an agile way, meaning that they needed a solution that didn’t tie them into a “big, scary procurement contract,” according to Reddin.
dxw presented four SMS 2FA options to the GDS team. Twilio’s ￼security, simple integration and clear pricing made it the preferred choice.
When a user logs in to a GOV.UK blog, they have two options. One involves registering their smartphone, then scanning a QR code through a login app. The other is to enter a username and password, then receive a login PIN code sent by SMS.
GDS didn’t want to tie people to using a smartphone app to log in. Some government departments still give out non-smartphones to their employees, so there is expected to be demand for an SMS login option.
“It will be interesting to see how many people take the SMS option over the QR code method,” says Reddin. “To get it running, Twilio worked perfectly. Our developer loved it, it was really easy to just drop into the code.”
To get it running, Twilio worked perfectly. Our developer loved it, it was really easy to just drop into the code.
Over the coming few months, the 2FA plugin will be installed on all GOV.UK blogs, covering as many as 1,500 admin users.
“GDS do think differently, they’re driving through real positive change in the way that the public sector does digital services, it’s a real pleasure working with them,” says Reddin. “And we’re really happy that Twilio was the easiest way of achieving what the GDS team needed.”