Skip to contentSkip to navigationSkip to topbar
Twilio Docs
On this page

Ruby on Rails Quickstart for Twilio Authy Two-factor Authentication

(warning)

Warning

As of November 2022, Twilio no longer provides support for Authy SMS/Voice-only customers. Customers who were also using Authy TOTP or Push prior to March 1, 2023 are still supported. The Authy API is now closed to new customers and will be fully deprecated in the future.

For new development, we encourage you to use the Verify v2 API.

Existing customers will not be impacted at this time until Authy API has reached End of Life. For more information about migration, see Migrating from Authy to Verify for SMS(link takes you to an external page).

Adding Two-factor Authentication to your application is the easiest way to increase security and trust in your product without unnecessarily burdening your users. This quickstart guides you through building a Ruby(link takes you to an external page) and Ruby on Rails(link takes you to an external page) application that restricts access to a URL. Four Authy API channels are demoed: SMS, Voice, Soft Tokens and Push Notifications.

Ready to protect a tiny app from malicious hackers?

Sign Up For or Sign Into a Twilio Account

sign-up-for-or-sign-into-a-twilio-account page anchor

Create a new Twilio account (you can sign up for a free Twilio trial), or sign into an existing Twilio account(link takes you to an external page).

Create a New Authy Application

create-a-new-authy-application page anchor

Once logged in, visit the Authy Console(link takes you to an external page). Click on the red 'Create New Application' (or big red plus ('+') if you already created one) to create a new Authy application then name it something memorable.

Authy create new application.

You'll automatically be transported to the Settings page next. Click the eyeball icon to reveal your Production API Key.

Account Security API Key.

Copy your Production API Key to a safe place, you will use it during application setup.

Setup the Authy Client on Your Device

setup-the-authy-client-on-your-device page anchor

This Two-factor Authentication demos two channels which require an installed Authy Client to test: Soft Tokens and Push Notifications. While SMS and Voice channels will work without the client, to try out all four authentication channels download and install Authy Client for Desktop or Mobile:

Clone and Setup the Application

clone-and-setup-the-application page anchor

Clone our repository locally(link takes you to an external page), then enter the directory. Install all of the necessary ruby modules:

bundle install

Next, open the file config/application.example.yml. There, edit the ACCOUNT_SECURITY_API_KEY, pasting in the API Key from the above step (in the console), and save the file as config/application.yml.

It will be loaded when the application begins.

Add Your Application API Key

add-your-application-api-key page anchor

Enter the API Key from the Authy console.

1
ACCOUNT_SECURITY_API_KEY: YOUR APP_KEY

2

Once you have added your API Key, you are ready to run! Launch Rails with:

./bin/rails server

If your API Key is correct, you should get a message your new app is running!

Try the Ruby on Rails Authy Two-Factor Demo

try-the-ruby-on-rails-authy-two-factor-demo page anchor

With your phone (optionally with the Authy client installed) nearby, open a new browser tab and navigate to http://localhost:3000/register/(link takes you to an external page)

Enter your information and invent a password, then hit 'Register'. Your information is passed to Twilio (you will be able to see your user immediately in the console(link takes you to an external page)), and the application is returned a user_id.

Now visit http://localhost:3000/login/(link takes you to an external page) and login. You'll be presented with a happy screen:

Token Verification Page.

If your phone has the Authy Client installed, you can immediately enter a Soft Token from the client to Verify. Additionally, you can try a Push Authentication by pushing the labeled button.

If you do not have the Authy Client installed, the SMS and Voice channels will also work in providing a token. To try different channels, you can logout to start the process again.

Two-Factor Authentication Channels

two-factor-authentication-channels page anchor
1
class Api::TwofaController < ApplicationController

2
  def sms()

3
    user = User.find_by(username: session[:username])

4


5
    if ! user

6
      render json: { err: 'Username Not Found' }, status: :internal_server_error and return

7
    end

8


9
    response = Authy::API.request_sms(id: user.authy_id)

10


11
    if ! response.ok?

12
      render json: { err: 'Error requesting SMS token' }, status: :internal_server_error and return

13
    end

14


15
    render json: response, status: :ok

16
  end

17


18
  def voice()

19
    user = User.find_by(username: session[:username])

20


21
    if ! user

22
      render json: { err: 'Username Not Found' }, status: :internal_server_error and return

23
    end

24


25
    response = Authy::API.request_phone_call(id: user.authy_id)

26


27
    if ! response.ok?

28
      render json: { err: 'Error requesting Phone call token' }, status: :internal_server_error and return

29
    end

30


31
    render json: response, status: :ok

32
  end

33


34
  def verify()

35
    user = User.find_by(username: session[:username])

36


37
    if ! user

38
      render json: { err: 'Username Not Found' }, status: :internal_server_error and return

39
    end

40


41
    response = Authy::API.verify(:id => user.authy_id, :token => params[:token])

42


43
    if ! response.ok?

44
      render json: { err: 'Verify Token Error' }, status: :internal_server_error and return

45
    end

46


47
    session[:authy] = true

48
    render json: response, status: :ok

49
  end

50


51
  def onetouchstatus()

52
    user = User.find_by(username: session[:username])

53


54
    if ! user

55
      render json: { err: 'Username Not Found' }, status: :internal_server_error and return

56
    end

57


58
    status = Authy::OneTouch.approval_request_status({uuid: session[:uuid]})

59


60
    if ! status.ok?

61
      render json: { err: 'One Touch Status Error' }, status: :internal_server_error and return

62
    end

63


64
    if status['approval_request']['approval_request'] == 'approved'

65
      session.delete(:uuid) || session.delete('uuid')

66
      session[:authy] = true

67
    end

68


69
    render json: {body: status}, status: :ok

70
  end

71


72
  def onetouch()

73
    user = User.find_by(username: session[:username])

74


75
    if ! user

76
      render json: { err: 'Username Not Found' }, status: :internal_server_error and return

77
    end

78


79
    one_touch = Authy::OneTouch.send_approval_request(

80
      id: user.authy_id,

81
      message: 'Login requested for Account Security account.',

82
      details: {

83
        AuthyID: user.authy_id,

84
        Username: user.username,

85
        Location: 'San Francisco, CA',

86
        Reason: 'Demo by Account Security'

87
      },

88
      hidden_details: { test: "This is a" }

89
    )

90


91
    if ! one_touch.ok?

92
      render json: { err: 'Create Push Error' }, status: :internal_server_error and return

93
    end

94


95
    session[:uuid] = one_touch.approval_request['uuid']

96


97
    render json: one_touch, status: :ok

98
  end

99
end

100

And there you go, Authy two-factor authentication is on and your Rails app is protected!

What's Next?

whats-next page anchor

Now that you are keeping the hackers out of this demo app using Twilio Authy two-factor authentication, you can find all of the detailed descriptions of options and API calls in our Authy API Reference. If you're also building a registration flow, also check out our Verify product and the Ruby Phone Verification quickstart which uses this codebase.

For additional guides and tutorials on account security and other products, in Ruby and in our other languages, take a look at the Docs.