SMS one-time passcodes (OTPs) are a popular form of phone verification and two factor authentication (2FA), but in some countries like Brasil, Germany, or India, messaging apps like WhatsApp are more popular than SMS. That's why we added support for WhatsApp in our Verify API. Since WhatsApp does its own phone number verification at sign up, you can use WhatsApp verification to directly replace SMS verification. Best of all, by using WhatsApp through the Verify API, you do not need a separate WhatsApp Business Account.
This blog post will show you how to quickly spin up an OTP dashboard and start sending and checking WhatsApp verification messages.
Prerequisites for sending One-Time Passcodes
Before you can send an OTP you'll need:
- A Twilio account for sending the WhatsApp message
- A Verify Service which you can create in the Twilio console. The Service Name will appear in the SMS body but you can always edit it later
- A WhatsApp account for testing
Copy your Service SID (starts with VA):
Quick Deploy a Twilio Verify application
Make sure you're logged in to Twilio and head over to Twilio's Code Exchange for the One-Time Passcode verification project and paste in your Verify Service SID:
Next, click "Deploy my application". After a few seconds you should see a button to launch the live application: click that to go to your new Verify application.
Select the WhatsApp channel, enter your phone number and hit Get a one-time passcode
to test it out. It's really that easy!
How to detect if WhatsApp is installed on a device
One way to improve user experience is to default to WhatsApp instead of SMS when it's available. You can check if the app is installed on the same device you're running on. Follow the instructions for iOS and Android to determine if a package is installed. Here's an example WhatsApp detection implementation for Android:
fun PackageManager.isPackageInstalled(packageName: String): Boolean {
return try {
getPackageInfo(packageName, PackageManager.GET_ACTIVITIES)
true
} catch (e: NameNotFoundException) {
false
}
}
fun isWhatsAppInstalled : Boolean() {
val whatsAppPackageName = "com.whatsapp"
val whatsAppBusinessPackageName = "com.whatsapp.w4b"
return getPackageManager().isPackageInstalled(whatsAppPackageName) || getPackageManager().isPackageInstalled(whatsAppBusinessPackageName)
}
Unfortunately not every user has a WhatsApp account. While you can detect whether the WhatsApp application is installed on mobile, WhatsApp does not have an API to determine if an account exists prior to sending a message. Fortunately, WhatsApp does not charge for failed message attempts to accounts that don't exist while SMS does charge carrier fees for undelivered messages.
How to use the Verify OTP Quick Deploy application
This application doesn't actually protect anything (yet!), but if you're like me, you love having code to copy and modify. This application gives you the following building blocks:
- International telephone input (more details in this post)
- Sending an OTP in 4 different channels
- Checking an OTP
You can use this as a basis to send and check verifications in your own application for sign up, login, or step up authentication like at checkout.
The email channel requires a smidge more setup but all of the instructions are outlined in the documentation. While you're testing, you might be interested in spinning up a testing dashboard to help avoid hitting rate limits.
Check out these other Quick Deploy projects for more inspiration:
- SMS verification with smart retry logic and voice fallback
- International telephone input
- Time-based One-time Passcode (TOTP) verification
I can't wait to see what you build!