This Sinatra application example demonstrates how to implement an SMS two-factor authentication using Twilio.
Adding two-factor authentication (2FA) to your web application increases the security of your user's data. Multi-factor authentication determines the identity of a user in two steps:
- First we validate the user with an email and password.
- Second, we validate using a mobile device, by sending them a one-time verification code.
Once our user enters the verification code we can validate the ownership of the account. This is a standard SMS implementation.
Once our user logs in we need to send him/her a verification code.
To generate our verification code we use
Random#rand which can take a range as an argument. Considering the current implementation our 6-digit verification code could be any number between 100000 and 999999.
Next let's look at how we would send this in an SMS with Twilio.
The Twilio helper library allows us to easily send an SMS.
First we have to create an instance of a Twilio Client with our credentials. Now all we have to do to send an SMS using the REST API is to call
client.messages.create() with the necessary parameters.
You can find your credentials at your Twilio Account.
We've seen how we will use the Twilio Client to send the SMS verification code. Now let's see how our controller will use this utility.
When a user signs up for our website, this controller creates the user and sends him/her a verification code.
In order to do two-factor authentication we need to make sure we ask for the user's phone number.
Let's see how we implemented the
Now let's take a closer at how to proceed with the 2-step verification.
Using the building blocks we created in the previous steps we can put it all together.
Notice we updated the user with the verification code since we need to look it up to verify the user.
And now, a drumroll for the second step of the two-step authentication implementation...
When the user receives an SMS with the verification code we need to ensure the given code is valid.
This validation is achieved by comparing the verification code sent to the user with the one the user inputs on the form.
If the validation was successful the application allows the user to have access to the protected content. Otherwise the application will prompt for the verification code once again.
That's it! We've just implemented SMS Two-Factor Authentication that you can now use in your applications!
If you're a Ruby developer working with Twilio, you might want to check out these other tutorials.
Faster than e-mail and less likely to get blocked, text messages are great for timely alerts and notifications
Instantly collect structured data from your users with a survey conducted over a call or an SMS text messages.
Thanks for checking out this tutorial! If you have any feedback to share with us, please reach out on Twitter... we'd love to hear your thoughts, and know what you're building!