Twilio Verify Push Android Client Library Quickstart

Sign up for - or sign in to - Twilio

You can sign up for a free Twilio trial account here.

• When you sign up, you'll be asked to verify your personal phone number. This helps Twilio verify your identity.
• Once you verify your number, you'll be asked to create a project. For the sake of this tutorial, you can click on the "Learn and Explore" template. Give your project a name, or just click "skip remaining steps" to continue with the default.
• Once you get through the project creation flow, you'll arrive at your project dashboard in the Twilio Console. This is where you'll be able to access your Account SID, an authentication token, create a Push Credential, create a Verify Service and more.

Create a Verify Service and add the Push Credential

• Go to Twilio Console > Verify > Services and create a new Service.
  • Alternatively, you can select any existing Service. However, we recommend creating a new service for testing so you don't accidentally interfere with a production environment.
• From Twilio Console > Verify > Services, select your Service to access its Settings. Under the Push section, select the Credential SID(s) that you want this Service to use for sending push notifications. One SID can be selected for your Android app (FCM) and one for your iOS app (APN).

Expose an API endpoint in your app backend for your app to request the Access Token

Check out our Sample Backend using Twilio functions for an implementation example. In a production web application, you would restrict access token retrieval to the currently authenticated user, using whatever type of authentication your service already uses.

Have your app backend request an Access Token from Verify Push API

In the sidebar to the right (or below) is sample code for requesting an access token from the Verify Push API in all languages supported by Twilio helper libraries. You will need the Verify service_sid, as well as the user id (such as a GUID or the user's primary key in your database table) you use as the identity with this Verify service.

Configure webhooks (optional)

Configure a webhook callback for your app backend to be notified of events such as when a Factor has been verified or when a Challenge has been approved, so that it knows to advance the user to the next step in your flow. This is more real-time and efficient than constantly polling the Verify Push API for the status of a Factor or Challenge.

Follow the steps in this Verify Webhooks page.

Verify a user

Congratulations! Verify Push consists of two user sequences, and you've just completed the first one: user and device registration. The second sequence is to challenge and verify (authenticate) a user with their registered device. Read on for the step-by-step instructions.

Create a Challenge

Your web application backend needs to call the Verify Push API to create a Challenge using the Factor that you've just created. When the challenge is created, Verify Push sends a push notification to the registered device using the configured Push Credential.

The code in the sidebar to the right/bottom demonstrates how to create those challenges using the Twilio helper libraries.

Now that the pending Challenge has been created in the Verify API, your mobile app needs to become aware of it. This can be done by telling your user to open up your mobile app on the registered device, and then having your app check (poll) the Verify API for any pending Challenges whenever it's opened.

Example implementation

1. Display a message for your user to open your app on the registered device: "Approve this login/transaction by opening the [App name] app and tapping [Approve button text]
2. Know when the app is opened and in foreground, then automatically poll for pending challenges.
   1. Android: Use the onResume() method of your activity or subscribe to a lifecycle observer.
   2. iOS: Use the applicationWillEnterForeground method in your application delegate or sceneWillEnterForeground if your app supports scenes, see more info here.
3. Alternatively, you can display to the user an "inbox" menu item to manually check for "pending verification requests" (challenges)
4. To get the pending challenges you can call the getAllChallenges method in the SDK, passing Pending as ChallengeListPayload's status and Desc as ChallengeListPayload's order
5. You can define the number of challenges to be returned using ChallengeListPayload's pageSize. To show only one challenge, pass 1 as ChallengeListPayload's pageSize
6. You can display the pending challenge(s) as a pop-up, just like if your app had received a push notification
7. Alternatively, you can show multiple pending challenges in an "inbox" menu item. You can display a badge number in the inbox to let the user know how many pending challenges are waiting for them.

Once your app receives the push notification containing the challengeSid, it needs to retrieve the challenge details that correspond to that sid. Type/paste the sample code below. This step is not necessary if you have already retrieved the challenge details via the getAllChallenges method as previously instructed in the "poll for the challenge" section.

How to Implement Silent Device Approval

By optionally implementing Silent Device Approval within the Verify Push Client Library, you can silently approve challenges without push notifications when your app already knows that the user is trying to complete an action (actively logging in, making a transaction, etc.) on the same device as the registered device that is being challenged. This results in an authentication that is completely invisible to the user. While implementation details will vary, here are some suggested steps:

• In order to be confident about the user's intent, the challenge approval should be done when the app is in foreground during the flow of the action that is being approved (e.g. immediately after the user taps "login").
• Identify the device starting the action and create a challenge for the factor linked to that device (a factor only represents one device).
• If you want to send challenges for multiple devices (factors) or if you want to be sure that you're approving the correct challenge, there are two options:
  • Include the associated challenge sid for the action in the response to the device and validate that it's the expected challenge sid before approving it.
  • Assign a transaction id to the started action and include it in the response to the device, and add the transaction id to the challenge's hidden details, so before approving the challenge you can get the challenge's hidden details to validate it is the expected challenge
• To receive the challenge on the client-side, you can:
  • Implement a strategy to listen for incoming push notifications when the app is in foreground and after some seconds, poll for pending challenges just in case the push notification did not arrive.
  • Poll for the latest pending challenge for an immediate approval, if your backend implementation can guarantee that the challenge was already created.