Verify TOTP Technical Overview
Verify TOTP is in Public Beta.
The data model does not require any PII (such as phone or email).
- Service: an organization or environment (e.g. stage, prod). Contains configurations for all verification methods available through the Verify platform (SMS OTP, Voice OTP, Email OTP, Push Verification, TOTP). A Twilio [sub]account can have multiple Services. Each Service contains multiple Entities that are not shared across Services.
- Entity: a user or other identity that needs verification. An Entity can contain multiple Factors.
- Factor: a verification method, which involves an exchange of secrets via a communication channel. For factor_type totp, which follows the RFC-6238 algorithm, the Factor contains the seed (Binding.Secret) that is used to generate the TOTP. A Factor contains multiple Challenges.
- Challenge: a single verification attempt of an Entity using a Factor. A single Factor has multiple Challenges.
Verify TOTP involves two main sequences that are shown in the diagrams below:
- Register a user by generating a unique TOTP seed and verify that they've correctly added it to their Authenticator App for generating TOTP codes.
- Verify a user by verifying that the TOTP code they've provided matches the TOTP code generated by the unique TOTP seed.
Register a user and TOTP seed
Verify a user
Ready to start building?
Check out the quickstart for step-by-step instructions.
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Stack Overflow Collective or browsing the Twilio tag on Stack Overflow.