Rate this page:

Thanks for rating this page!

We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

Two-Factor Authentication with Authy, C# and ASP.NET MVC

Two-Factor Authentication (2FA) is an excellent addition to your web application to improve the security of your user data by requiring something your users have to be present for step-up transactions, log-ins, and other actions. Multi-factor authentication validates the identity of a user while logging into the app through their mobile device (or sometimes through other clients)

This ASP.NET MVC sample application demonstrates two-factor authentication (2FA) using Authy. To run this sample app yourself, download the code and follow the instructions on GitHub.

For the second factor, we will validate that the user has their mobile phone by either:

  • Sending them a OneTouch push notification to their mobile Authy app
  • Sending them a token through their mobile Authy app
  • Sending them a one-time token in a text message sent via Twilio

See how VMware uses Twilio Two-Factor Authentication to secure their enterprise mobility management solution.

Click here to start the tutorial!

Configuring Authy

If you haven't already, now is the time to sign up for Authy with Twilio. Create your first application, naming it whatever you wish. After you create your application, your production API key will be visible on your Authy dashboard:

Authy dashboard

Once we have an Authy API key, we store it in the Web.config file. We also need to register Authy as a 2FA provider in our IdentityConfig.


        Register Authy as 2FA provider


        Now Authy is part of our ApplicationUserManager as a two-factor authentication provider. Let's take a look at how we register a user with Authy.

        Register a user using Authy

        Register a User with Authy

        When a new user signs up for our website, we call this controller to handle storing our new user in the database as well as registering the user with Authy.

        All Authy needs to get a user set up for your application is the user email, phone number and country code. In order to do two-factor authentication, we need to make sure we ask for this information at sign up.

        Once we register the User with Authy we get an authy_id back. This is very important since it's how we will verify the identity of our user with Authy.


              Register a User with Authy


              Having registered our user with Authy, we then can use Authy's OneTouch feature to log them in.

              See how to log a user in with Authy

              Log in with Authy OneTouch

              When a user attempts to log in to our website, we will ask them for a second form of identification. Let's take a look at OneTouch verification first.

              OneTouch works as follows:

              • We attempt to send a OneTouch Approval Request to the user.
              • If the user has OneTouch enabled, we will get a success message back.
              • The user hits approve in their Authy app.
              • Authy makes a POST request to our app with an approved status.
              • We log the user in.
              How to send a OneTouch request

              Send the OneTouch Request

              When our user logs in, we let them decide which two-factor authentication provider will be used. It can be either Authy One Touch or Authy Token. Authy OneTouch should be used when the user has a registered OneTouch device.

              Authy lets us pass details with our OneTouch request including a message, a logo, and any other details we want to send. We could easily send any number of details by appending details['some_detail']. You could imagine a scenario where we send a OneTouch request to approve a money transfer:

              var request = new NameValueCollection
                { "message", "Request to Send Money to Jarod's vault" },
                { "details['Request From']", "Jarod" },
                { "details['Amount Request']", "1,000,000" },
                { "details['Currency']", "Galleons" }

                    Implement OneTouch Approval


                    Once we send the request we need to update our user's AuthyStatus based on the response. But first we have to register a OneTouch callback endpoint.

                    See how to register a callback endpoint

                    Configure OneTouch Callback

                    In order for our app to know what the user did after we sent the OneTouch request, we need to register a callback endpoint with Authy.

                    Note: In order to verify that the request is coming from Authy, we've written a helper method that will halt the request if it appears it isn't coming from Authy.

                    Here in our callback, we look the user up using the authy_id sent with the Authy POST request. At this point we would ideally use a websocket to let our client know that we received a response from Authy, but for this version we're going to keep it simple and just update the AuthyStatus on the user. Then all our client-side code needs to do is check for user.AuthyStatus == "approved" before logging in the user.


                          Configure OneTouch Callback to validate request


                          Our application is now capable of using Authy for two-factor authentication. However, we are still missing an important part: the client-side code that will handle it.

                          Handle authentication in the browser

                          Handle Two-Factor in the Browser

                          We've already taken a look at what's happening on the server side, so let's step in front of the cameras now and see how our JavaScript is interacting with those server endpoints.

                          When we expect a OneTouch response, we will begin polling /Authy/OneTouchStatus until we either see that OneTouch login was either approved or denied. Let's take a look at this controller and see what is happening.


                                Let's take a closer look at how we check the login status on the server.

                                Check the user's login status

                                Check Login Status

                                This endpoint waits for the user status to be either approved or denied.


                                      Check Login Status


                                      Finally, we can confirm the login.

                                      Confirm the login

                                      Finish the 2FA Step

                                      If the AuthyStatus is approved, then the user will be redirected to the home page, otherwise we'll show the /Account/Login form.


                                            That's it! We've just implemented two-factor authentication using three different methods and the latest in Authy technology. You can check out the whole project on Github.

                                            What's next?

                                            Where to Next?

                                            If you're a C# developer working with Twilio, you might enjoy these other tutorials:

                                            IVR: Phone Tree

                                            Easily route callers to the right people and information with an IVR (interactive voice response) system.

                                            Call Tracking

                                            Use Twilio to track the effectiveness of your marketing campaigns.

                                            Did this help?

                                            Thanks for checking out this tutorial! If you have any feedback to share with us, we'd love to hear it. Connect with us on Twitter and let us know what you build!

                                            Kevin Whinnery Agustin Camino Andrew Baker Paul Kamp Kat King Hector Ortega

                                            Need some help?

                                            We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.