This Ruby on Rails application example demonstrates how to implement an SMS two-factor authentication using Twilio.
To run this application yourself download the code and follow the instructions on GitHub.
Adding two-factor authentication (2FA) to your web application increases the security of your user's data. Multi-factor authentication determines the identity of a user in two steps:
- First, we validate the user with an email and password
- Second, we validate using a mobile device, by sending them a one-time verification code
Once our user enters the verification code, we know they have received the SMS, and indeed are who they say they are. This is a standard SMS implementation.
Once our user logs in we need to send them a verification code.
To generate our verification code we use
Random#rand which can take a range as an argument. Considering the current implementation our 6-digit verification code could be any number between 100000 and 999999.
Next, let's take a look at how we would send this in an SMS with Twilio.
The Twilio Ruby helper library allows us to easily send an SMS.
First we have to create an instance of a Twilio Client with our credentials. Now all we have to do to send an SMS using the REST API is to call
client.messages.create() with the necessary parameters.
You can find the necessary credentials in the Twilio Console.
Now that we know how to generate the verification code and send it, let's now look at how to kick off the signup process.
When a user signs up for our website, this controller creates the user and sends them a verification code.
In order to do two-factor authentication we need to make sure we ask for the user's phone number.
Let's see how we implemented the
Now let's take a closer at how to proceed with the 2-step verification.
Using the building blocks we've created in the previous steps we can now pull it all together.
Notice we update the user with the verification code since we'll need to look it up to verify the user.
And now, a drumroll for the second step of the two-step authentication implementation...
When the user receives an SMS with the verification code we need to ensure the given code is valid.
This validation is achieved by comparing the user's verification code with the verification code the user inputs on the form.
If the validation was successful the application allows the user to have access to the protected content. Otherwise, the application will prompt for the verification code once again.
That's it! We've just implemented SMS Two-Factor Authentication that you can now use in your applications!
If you're a Rails developer working with Twilio, you might want to check out these other tutorials.
Increase your rate of response by automating the workflows that are key to your business. In this tutorial, learn how to build a ready-for-scale automated SMS workflow, for a vacation rental company.
Protect your users' privacy by anonymously connecting them with Twilio Voice and SMS. Learn how to create disposable phone numbers on-demand, so two users can communicate without exchanging personal information.
Thanks for checking out this tutorial! If you have any feedback to share with us, please reach out on Twitter... we'd love to hear your thoughts, and know what you're building!