Level up your Twilio API skills in TwilioQuest, an educational game for Mac, Windows, and Linux. Download Now
Build the future of communications.
Start building for free
  • By Kelley Robinson
    How to sanitize phone numbers before sending mass alerts Sanitize phone numbers header image

    If you're planning on sending mass text notifications you'll want to make sure that the numbers you're sending to are valid. This post will quickly show how to use the Twilio Lookup API to sanitize your data, checking that:

    • Phone numbers are real
    • Phone numbers are formatted correctly
    • Phone numbers are mobile

    Validating and sanitizing phone numbers will mean fewer API errors for sending to non-existent, incorrectly formatted, or landline numbers, giving you greater confidence in your system.

    Twilio.org is offering a $500 kickstart credit and additional product discounts for apps that offer public benefits during the COVID-19 crisis. Learn more: https://ahoy.twilio.com/covid19-contact.

    Prerequisites for sanitizing phone numbers

    The Lookup API does not support bulk requests. If you anticipate a high volume of requests, please contact …

    Read More
  • By Kelley Robinson
    Is email based 2FA a good idea? email blog header

    Like everything in security, whether or not it’s safe to use email as a delivery channel for two-factor authentication (2FA) will depend on who your users are and what you're trying to protect.

    That said, email based 2FA is usually going to protect your users more than it is going to hurt them, especially if it's offered as an option alongside more secure channels like TOTP. Much like SMS based 2FA, which can protect 96% of bulk phishing attacks and 76% of targeted attacks, any 2FA is going to be better than no 2FA at all.

    A quick note: email verification vs. 2FA

    This post addresses the tradeoffs of ongoing login verification using email two-factor authentication. Verifying a user's email address the first time they provide it is a best practice to reduce fraud, ensure deliverability, and maintain a good sending reputation.

    Chase bank offers SMS and email based 2FA

    Services like Chase bank offer email …

    Read More
  • By Kelley Robinson
    Build an Animal Crossing party line in 5 minutes Header Animal Crossing Party Line

    How did you spend your weekend? When I wasn't feeding my sourdough starter, I spent at least 4 hours playing Animal Crossing: New Horizons and doing chores for my raccoon landlord. For those unacquainted with the game: Animal Crossing is a social game where you build a town on a deserted island full of friendly animals, fruit trees, and homemade furniture. Once you set up your town, other players can visit you, bring you gifts, and help you weed your garden.

    On Sunday, my coworker Christine invited me and our coworker Megan to an Animal Crossing party. We exchanged Switch Friend codes and set up a time to play.

    Unfortunately in-game communication can be tough: there's no in-game voice chat and saying something specific is a hunt-and-peck nightmare with the Switch keyboard. Video chat seemed like overkill since we'd all be looking at our screens anyway.

    Luckily, we …

    Read More
  • By Kelley Robinson
    Serverless Phone Verification with Twilio Verify and Twilio Functions Serverless Verify

    Updated June 2020 - this project now uses the Twilio Serverless Toolkit and the Functions API.

    Security is at the top of everyone’s mind and phone verification is a simple way to secure your application and help prevent bot accounts. Sending a one-time password to a user's phone to validate they have possession is a common security tool used when people sign up for a product or give you their phone number for the first time.

    Confidence in your users’ phone numbers decreases fraud and increases reliability of notifications. Let’s take a look at how to verify phone numbers from a web application using Twilio's serverless functions and the Twilio Verify API.

    Quick links:

    Prerequisites to adding Twilio Verify to your application

    To code along with this post, you’ll need:

    Read More
  • By Kelley Robinson
    How to Lookup a phone number with the Twilio CLI Lookup a phone number with the Twilio CLI

    Some bad actors use phone numbers from free online providers to create fake profiles to scam or spam. Twilio's Lookup API helps you identify the carrier behind the phone number to learn which users have real mobile numbers. And you can use it with the new Twilio CLI!

    Lookup a carrier with the Twilio CLI

    To lookup a phone number with the Twilio CLI you will need:

    Follow instructions to install the Twilio CLI then in your terminal log in with your account credentials found in the console:

    twilio login

    You can query the Twilio Lookup API for information about a phone number. There are two Types  of requests the API can perform:

    1. Carrier - includes line type (i.e. mobile, landline, voip) and telecom provider (i.e. Verizon, Level 3 Communications, Twilio)
    2. Caller name - includes caller identification information when available …
    Read More
  • By Kelley Robinson
    Why are the username and password on two different pages? Why are the username and password on two different pages

    The most common reason to put username and password on two different pages is to support both:

    1. single-sign on (SSO) (i.e. sign in with Google or a service like Okta)
    2. username/password login

    However, this login flow confuses people which is probably why you're reading this! Websites usually present a username and password field in the same view for us to log in. So you're not alone if you've ever wondered why the password field is missing or on another page.

    This post looks at the security of this design decision and presents options for designing login forms that support multiple paths of authentication.

    Is separating the username and password field onto different pages more secure?

    The separation could make credential stuffing attacks more cumbersome. It also allows the platform to perform conditional security checks. For example, the site can check if the account has enabled two-factor authentication and, if …

    Read More
  • By Kelley Robinson
    How to use Authy for Offline, Transaction Specific, PSD2 Compliant Authentication IUQz0LthtKSeMEB696SdzuWIk7cICH4sWkbTsXyU8Ea2tfSErofayxwYCm1YxPcy4_LfIAcrVFaG0xjk23I9foPpIoLA_-3rfakSeBOtsjBxs7Jto25FloIAkuCjPON1dbb8FPf_

    One of the best features about using Soft Tokens or Time-based One Time Passwords (TOTP) for authentication is that they are available offline. The European Payment Services Directive (PSD2) regulation requires Strong Customer Authentication (SCA) for all transactions over €30 by September 2019. Part of the regulation requires that SCA ties transaction-specific information to the authentication, called Dynamic Linking.

    This post will show you how to use a new feature of the Authy API and application to implement a compliant offline solution for your application. For more detail on PSD2, SCA, and dynamic linking, check out this post. You can also build SCA with push authorization or SMS, which we show in this blog post.

    Getting Started

    To code along with this post, you’ll need:

    Read More
  • By Kelley Robinson
    Who's Calling? How to Identify a Phone Number Carrier with Twilio Lookup blur-call-calling-1251088.jpg

    Some bad actors use phone numbers from free online providers to create fake profiles to scam or spam. Twilio's Carrier Lookup API helps you identify the carrier behind the phone number to learn which users have real mobile numbers.

    Lookup a carrier with Twilio

    To lookup a phone number you will need:

    You can query the Twilio Lookup API for information about a phone number. There are two Types  of requests the API can perform: carrier and caller-name. This example focuses on carrier.

    The following request will return carrier information about a phone number. The phone number in the request URL must be in E.164 format like +18557477626. Replace the credentials with your Account SID and Auth Token found in the console.

    In your terminal, run the following code:

    curl -X GET \
    'https://lookups.twilio.com/v1/PhoneNumbers/+18557477626?Type=carrier' …
    Read More
  • By Kelley Robinson
    Detect Robocalls with Twilio Lookup and the Nomorobo Spam Score Add-on bG2utclWVzVcVomibKtYGe99wJ0WvTItH9LDAeHYR5JP7XJ9EjaiFHv1608ZZ0FvkJRbXMHiP_y13RhJczikwUygbOuZ8jld-ag8FNLEqAIx-4g1ArTDbPLqTYvFXroUaH1y9l42

    Twilio's CEO Jeff Lawson recently wrote about the history of robocalls and what we're doing to eliminate them. Until that happens, we can build a tool that will help us identify a robocall with a bit of Python, the Twilio Lookup API, and the Nomorobo Spam Score Add-on.

    Set Up

    In order to code along with this post you'll want to start with the following:

    1. Create a Twilio account
    2. Install Python 3
    3. Install the twilio-python helper library

    Head to the Twilio Console and install the Nomorobo add-on. Look for the yellow logo and click through to "Install".

    Leave the name as nomorobo_spamscore and "Save" the Add-On.

    Create a new file called nomorobo.py and add the …

    Read More
  • By Kelley Robinson
    What I Learned About Security from Calling 35 Contact Centers 0N_vQj4WWOs80HMrBU48yW3yOn7kzg37I_ILFKy5ifNW0R29Yzlx77PnmLQzENxj2uTf9xk8zGASigas5mL3un8biIBMF4UkBlDVE3dEnzzCqfnsf4uBNnLFV-_YK0F1rw_4PP-R

    Web applications often have secure login systems—maybe even 2FA—but what happens when a customer calls the customer support phone number? Security teams and app developers have thought a lot about online authentication, but haven't applied the same rigor to designing systems for authenticating over the phone.

    At Twilio, product and engineering teams have spent the last year thinking about this problem and how to make the experience better for both the customer and the call center agent. In that time, I've called dozens of contact centers to learn about how everyone from startups to Fortune 50 companies attempt to identify and authenticate the end user. This post will take a look at that research and outline best practices to use in call centers.

    🔍Research Parameters

    To test the over-the-phone authentication, I made a list of companies where:

    1. I have an existing account
    2. There is personal info tied to my account …
    Read More
  • Newer
    Sign up and start building
    Not ready yet? Talk to an expert.