Verify SMS Overview
SMS is the most popular channel for phone number verification and two-factor authentication (2FA). That's because most people can receive text messages and onboarding is seamless. Plus, SMS 2FA works: Google found that SMS 2FA helped block "100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks."
1// Download the helper library from https://www.twilio.com/docs/node/install2const twilio = require("twilio"); // Or, for ESM: import twilio from "twilio";34// Find your Account SID and Auth Token at twilio.com/console5// and set the environment variables. See http://twil.io/secure6const accountSid = process.env.TWILIO_ACCOUNT_SID;7const authToken = process.env.TWILIO_AUTH_TOKEN;8const client = twilio(accountSid, authToken);910async function createVerification() {11const verification = await client.verify.v212.services("VAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")13.verifications.create({14channel: "sms",15to: "+15017122661",16});1718console.log(verification.sid);19}2021createVerification();
Response
1{2"sid": "VEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",3"service_sid": "VAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",4"account_sid": "ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",5"to": "+15017122661",6"channel": "sms",7"status": "pending",8"valid": false,9"date_created": "2015-07-30T20:00:00Z",10"date_updated": "2015-07-30T20:00:00Z",11"lookup": {},12"amount": null,13"payee": null,14"send_code_attempts": [15{16"time": "2015-07-30T20:00:00Z",17"channel": "SMS",18"attempt_sid": "VLaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"19}20],21"sna": null,22"url": "https://verify.twilio.com/v2/Services/VAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Verifications/VEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"23}
After starting a Verification with SMS, you'll want to validate if the code a user provided was correct with the Verification Check API.
Before you send an OTP (one-time password) message through Verify, you must obtain the recipient's opt-in consent. Treat any recipient who has not opted in as opted out by default. You must store evidence of each consent event and provide it to Twilio on request.
For example, include a notice in your application's sign-up or two-factor authentication (2FA) flow that states the user will receive an OTP message at the phone number they provide. Then record the timestamp of the user's confirmation.
As a general best practice and requirement for sending messages to the United States, display the following information in your app's user interface where they request the OTP:
- Complete terms and conditions OR link to terms and conditions.
- Privacy policy OR link to privacy policy.
- "Message and data rates may apply" disclosure.
This information is required by the CTIA Short Code Handbook for two-factor authentication. Verify SMS also follows the Twilio Messaging Policy, please see the policy for more detailed information on consent and opt-in rules.
- SMS Verification: What It Is & How It Works
- 5 reasons SMS 2FA isn't going away
- What is SMS pumping?
- Verify Fraud Guard: A feature that prevents SMS related fraud on Verify by automatically blocking the prefix of the destination of the suspected fraud.