SMS Two-Factor Authentication with Ruby and Rails

This Ruby on Rails application example demonstrates how to implement an SMS two-factor authentication using Twilio.

To run this application yourself download the code and follow the instructions on GitHub.

Adding two-factor authentication (2FA) to your web application increases the security of your user's data. Multi-factor authentication determines the identity of a user in two steps:

  1. First, we validate the user with an email and password
  2. Second, we validate using a mobile device, by sending them a one-time verification code

Once our user enters the verification code, we know they have received the SMS, and indeed are who they say they are. This is a standard SMS implementation.

Loading Code Samples...
Language
module ConfirmationSender
  def self.send_confirmation_to(user)
    verification_code = CodeGenerator.generate
    user.update(verification_code: verification_code)
    MessageSender.send_code(user.phone_number, verification_code)
  end
end
lib/confirmation_sender.rb
Send verification code

lib/confirmation_sender.rb

Generate a Verification Code

Once our user logs in we need to send them a verification code.

To generate our verification code we use Random#rand which can take a range as an argument. Considering the current implementation our 6-digit verification code could be any number between 100000 and 999999.

lib/code_generator.rb
Generate a Verification Code

lib/code_generator.rb

Next, let's take a look at how we would send this in an SMS with Twilio.

Send a Verification Code

The Twilio Ruby helper library allows us to easily send an SMS.

First we have to create an instance of a Twilio Client with our credentials. Now all we have to do to send an SMS using the REST API is to call client.messages.create() with the necessary parameters.

You can find the necessary credentials in the Twilio Console.

Loading Code Samples...
Language
module MessageSender
  def self.send_code(phone_number, code)
    account_sid = ENV['TWILIO_ACCOUNT_SID']
    auth_token  = ENV['TWILIO_AUTH_TOKEN']
    client = Twilio::REST::Client.new(account_sid, auth_token)

    message = client.messages.create(
      from:  ENV['TWILIO_NUMBER'],
      to:    phone_number,
      body:  code
    )

    message.status == 'queued'
  end
end
lib/message_sender.rb
Send a Verification Code

lib/message_sender.rb

Now that we know how to generate the verification code and send it, let's now look at how to kick off the signup process.

Register a User

When a user signs up for our website, this controller creates the user and sends them a verification code.

In order to do two-factor authentication we need to make sure we ask for the user's phone number.

Let's see how we implemented the send_confirmation_to method.

Loading Code Samples...
Language
class UsersController < ApplicationController
  ATTRIBUTE_WHITELIST = [
    :first_name,
    :last_name,
    :email,
    :phone_number,
    :password_confirmation,
    :password
  ]

  def new
    @user = User.new
  end

  def create
    @user = User.new(user_params)
    if @user.save
      session[:user_id] = @user.id
      ConfirmationSender.send_confirmation_to(@user)
      redirect_to new_confirmation_path
    else
      render :new
    end
  end

  private

  def user_params
    params.require(:user).permit(*ATTRIBUTE_WHITELIST)
  end
end
app/controllers/users_controller.rb
Register a User

app/controllers/users_controller.rb

Now let's take a closer at how to proceed with the 2-step verification.

Putting It All Together

Using the building blocks we've created in the previous steps we can now pull it all together.

Notice we update the user with the verification code since we'll need to look it up to verify the user.

Loading Code Samples...
Language
module ConfirmationSender
  def self.send_confirmation_to(user)
    verification_code = CodeGenerator.generate
    user.update(verification_code: verification_code)
    MessageSender.send_code(user.phone_number, verification_code)
  end
end
lib/confirmation_sender.rb
Send verification code

lib/confirmation_sender.rb

And now, a drumroll for the second step of the two-step authentication implementation...

Implementing the 2-Step Verification

When the user receives an SMS with the verification code we need to ensure the given code is valid.

This validation is achieved by comparing the user's verification code with the verification code the user inputs on the form.

Confirm Verification Code

If the validation was successful the application allows the user to have access to the protected content. Otherwise the application will prompt for the verification code once again.

Loading Code Samples...
Language
class ConfirmationsController < ApplicationController
  def new
    @user = User.find(session[:user_id])
  end

  def create
    @user = User.find params[:user_id]
    if @user.verification_code == params[:verification_code]
      @user.confirm!
      session[:authenticated] = true

      flash[:notice] = "Welcome #{@user.first_name}. The Adventure Begins!"
      redirect_to secrets_path
    else
      flash.now[:error] = "Verification code is incorrect."
      render :new
    end
  end
end
app/controllers/confirmations_controller.rb
Implementing the 2-Step Verification

app/controllers/confirmations_controller.rb

That's it! We've just implemented SMS Two-Factor Authentication that you can now use in your applications!

Where to next?

If you're a Rails developer working with Twilio, you might want to check out these other tutorials.

Workflow Automation

Increase your rate of response by automating the workflows that are key to your business. In this tutorial, learn how to build a ready-for-scale automated SMS workflow, for a vacation rental company.

Masked Numbers

Protect your users' privacy by anonymously connecting them with Twilio Voice and SMS. Learn how to create disposable phone numbers on-demand, so two users can communicate without exchanging personal information.

Did this help?

Thanks for checking out this tutorial! If you have any feedback to share with us, please reach out on Twitter... we'd love to hear your thoughts, and know what you're building!

Agustin Camino
David Prothero
Andrew Baker
Jose Oliveros

Need some help?

We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.

1 / 1
Loading Code Samples...
module ConfirmationSender
  def self.send_confirmation_to(user)
    verification_code = CodeGenerator.generate
    user.update(verification_code: verification_code)
    MessageSender.send_code(user.phone_number, verification_code)
  end
end
module CodeGenerator
  def self.generate
    rand(100000...999999).to_s
  end
end
module MessageSender
  def self.send_code(phone_number, code)
    account_sid = ENV['TWILIO_ACCOUNT_SID']
    auth_token  = ENV['TWILIO_AUTH_TOKEN']
    client = Twilio::REST::Client.new(account_sid, auth_token)

    message = client.messages.create(
      from:  ENV['TWILIO_NUMBER'],
      to:    phone_number,
      body:  code
    )

    message.status == 'queued'
  end
end
class UsersController < ApplicationController
  ATTRIBUTE_WHITELIST = [
    :first_name,
    :last_name,
    :email,
    :phone_number,
    :password_confirmation,
    :password
  ]

  def new
    @user = User.new
  end

  def create
    @user = User.new(user_params)
    if @user.save
      session[:user_id] = @user.id
      ConfirmationSender.send_confirmation_to(@user)
      redirect_to new_confirmation_path
    else
      render :new
    end
  end

  private

  def user_params
    params.require(:user).permit(*ATTRIBUTE_WHITELIST)
  end
end
module ConfirmationSender
  def self.send_confirmation_to(user)
    verification_code = CodeGenerator.generate
    user.update(verification_code: verification_code)
    MessageSender.send_code(user.phone_number, verification_code)
  end
end
class ConfirmationsController < ApplicationController
  def new
    @user = User.find(session[:user_id])
  end

  def create
    @user = User.find params[:user_id]
    if @user.verification_code == params[:verification_code]
      @user.confirm!
      session[:authenticated] = true

      flash[:notice] = "Welcome #{@user.first_name}. The Adventure Begins!"
      redirect_to secrets_path
    else
      flash.now[:error] = "Verification code is incorrect."
      render :new
    end
  end
end