SMS Two-Factor Authentication with Java and Servlets
Agustin Camino
About this Application
This Java Servlets application example demonstrates how to implement a SMS two-factor authentication using Twilio.
To run this application yourself download the code and follow the instructions on GitHub.
Adding a two-factor authentication (2FA) to your web application increases the security of your user's data. Multi-factor authentication determines the identity of a user in two steps:
- First, we validate the user with an email and password
- Second, we validate by sending them a one-time verification code to a mobile device
Once our user enters the verification code, we know they have received the SMS, and indeed they are who they say they are. This is a standard SMS implementation.
For a slightly more advanced implementation using Authy One-Touch take a look at this tutorial.
Generate a Verification Code
Once our user logs in we need to send them the one-time verification code.
To generate our verification code we use the java.util.Random class. Considering the current implementation, our 6-digit verification code could be any number between 100000 and 999999.
Next, let's take a look at how to setup the Twilio Java helper library to send the verification code as an SMS.
Obtain a TwilioRestClient Instance
The Twilio helper library allows us to easily send an SMS. First, we have to create an instance of a Twilio Client with our credentials.
You can find your credentials on your Twilio Account.
Next, we will see how to actually send the verification code.
Send a Verification Code
Once we have the MessageCreator instance created with the necessary parameters, all we have to do to send an SMS using the REST API is to call the execute method passing the twilioRestClient instance.
In this example, the class TwilioMessageSender is the one responsible for it.
Now that we know how to generate the verification code and send it, let's now look at how to kick off the signup process.
Register a User
When a user signs up on our website, the prior should store the user's information and send them a verification code.
In order to do two-factor authentication we need to make sure we ask for the user's phone number.
One thing to notice is that when the User constructor is called, the verification code is generated.
Let's see how the CreateUser#create method is implemented.
Save and Send the SMS
In this step all we will do is store the user (and his verification code accordingly) and send an SMS message.
Noticed that MessageSender is implemented by TwilioMessageSender, that we mentioned previously.
Now let's take a closer at how to proceed with the 2-step verification.
Implement the 2-Step Verification
When the user receives an SMS with the verification code we need to ensure the given code is valid.
This validation is achieved by comparing the user's verification code with the verification code the user inputs on the form.
If the validation was successful the application allows the user to have access to the protected content. Otherwise the application will prompt for the verification code once again.
That's it! We've just implemented SMS Two-Factor Authentication that you can now use in your applications!
Where to next?
If you're a Java developer working with Twilio, you might want to check these other tutorials out.
Increase your rate of response by automating the workflows that are key to your business. In this tutorial, you will learn how to build a ready-for-scale automated SMS workflow, for a vacation rental company.
Protect your users' privacy by anonymously connecting them with Twilio Voice and SMS. Learn how to create disposable phone numbers on-demand, so two users can communicate without exchanging personal information.
Did this help?
Thanks for checking this tutorial out! If you have any feedback to share with us please contact us on Twitter, we'd love to hear it.
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.