Verify TOTP Technical Overview
The data model does not require any PII (such as phone or email).
- Service: an organization or environment (e.g. stage, prod). Contains configurations for all verification methods available through the Verify platform (SMS OTP, Voice OTP, Email OTP, Push Verification, TOTP). A Twilio [sub]account can have multiple Services. Each Service contains multiple Entities that are not shared across Services.
- Entity: a user or other identity that needs verification. An Entity can contain multiple Factors.
- Factor: a verification method, which involves an exchange of secrets via a communication channel. For factor_type totp, which follows the RFC-6238 algorithm, the Factor contains the seed (Binding.Secret) that is used to generate the TOTP. A Factor contains multiple Challenges.
- Challenge: a single verification attempt of an Entity using a Factor. A single Factor has multiple Challenges.
Verify TOTP involves two main sequences that are shown in the diagrams below:
- Register a user by generating a unique TOTP seed and verify that they've correctly added it to their Authenticator App for generating TOTP codes.
- Verify a user by verifying that the TOTP code they've provided matches the TOTP code generated by the unique TOTP seed.
Check out the quickstart for step-by-step instructions.