Skip to contentSkip to navigationSkip to topbar
Page toolsOn this page

Verify TOTP Technical Overview



Data model

data-model page anchor

The data model does not require any PII (such as phone or email).

Flowchart showing OwlBank service using customer identifier with TOTP seeds for login, transaction, and password reset.

  • Service: an organization or environment (e.g. stage, prod). Contains configurations for all verification methods available through the Verify platform (SMS OTP, Voice OTP, Email OTP, Push Verification, TOTP). A Twilio [sub]account can have multiple Services. Each Service contains multiple Entities that are not shared across Services.
  • Entity: a user or other identity that needs verification. An Entity can contain multiple Factors.
  • Factor: a verification method, which involves an exchange of secrets via a communication channel. For factor_type totp, which follows the RFC-6238(link takes you to an external page) algorithm, the Factor contains the seed (Binding.Secret) that is used to generate the TOTP. A Factor contains multiple Challenges.
  • Challenge: a single verification attempt of an Entity using a Factor. A single Factor has multiple Challenges.

Verify TOTP involves two main sequences that are shown in the diagrams below:

  1. Register a user by generating a unique TOTP seed and verify that they've correctly added it to their Authenticator App for generating TOTP codes.
  2. Verify a user by verifying that the TOTP code they've provided matches the TOTP code generated by the unique TOTP seed.

Register a user and TOTP seed

register-a-user-and-totp-seed page anchor
Sequence diagram of TOTP registration and verification process with user, app, frontend, backend, and API interactions.
Sequence diagram showing TOTP verification process with user, authenticator app, and Verify TOTP API interactions.

Ready to start building?

ready-to-start-building page anchor

Check out the quickstart for step-by-step instructions.