Verify is also a service offered by Twilio which allows very simple user verification via different channels such as SMS, TOTP, push, email or even voice.
Indeed when you develop a service that requires validating the phone number, an email address or quite simply the connection of a user with a 2FA code, you do not necessarily have the time or the desire to develop a whole system. user validation. This is time consuming and much more complex than it looks, as you have to be able to manage international phone numbers, integrating this verification into the registration/login flow, translating messages and so on.
With Twilio, this whole process can be done super easily with a simple API.
Thanks to this Verify API , you will be able to integrate very simply and very quickly above all, this user validation into an existing project. Thus, when a user will enter his phone number to validate it, the Verify API will send a verification code by SMS, Whatsapp, email or via a phone call with voice synthesis.
The user will then enter this code on the site and the Verify API will ensure that the code corresponds to the one that was sent. If everything is OK, then the phone number or email can be considered valid.
In the case of authentication, Verify can also work with an application push system or TOTP (double authentication application such as Authy for example ).
Set up an SMS validation (or phone call)
To add user phone number verification with Verify to your application, you will first need to establish with the following API:
Using Python, and the Twilio package ( pip install twilio ) we will first initiate a connection with the Verify service using the API keys like this:
from twilio.rest import Client account_sid = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' auth_token = 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx' client = Client(account_sid, auth_token) service = client.verify.services.create( friendly_name='KORBEN VERIFICATION', code_length=10, totp_code_length=6, totp_time_step=30, totp_skew=2, skip_sms_to_landlines=True, )
You will notice that I give a name to my service (friendly_name). I can also specify at this level the length of the code (code_length), the configuration of the TOTP, or even specify that I do not want to send an SMS to a landline number. https://www.twilio.com/docs/verify/api/servicethe service config that I invite you to consult in the API doc here .
Then I’m going to text my user’s phone number like this:
verification = client.verify \ .services(service.sid) \ .verifications \ .create(to='+336xxxxxxxx', channel='sms') print(verification.status) print(verification.sid)
You can see the channel is “SMS”. If I had wanted to set up verification with a phone call instead of an SMS, I would have done like this:
Depending on the phone number entered, the audio / sms message will be translated into the language of the country associated with the number. But you can also force a language with the “locale” parameter like this:
.create(locale='fr', to='+336xxxxxxxx', channel='call')
For Whatsapp, it will suffice to specify “whatsapp” in the channel. And for validation by email, it will be a little different since you will have to configure a mailer before, with a template, a shipping address, etc.
.create(to='[email protected]', channel='email')
Now comes the time to check that the code entered by the user in your application is correct. For this we will use the “verification_checks” function like this:
verification_check = client.verify \ .services('xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx') \ .verification_checks \ .create(to='+336xxxxxxxx', code='1234') print(verification_check.status)
Remember to put the ID of the service generated during the creation of the service (the service.sid) as well as the code entered by the user (I put “1234”) there.
And There you go. Depending on the response (“approved” or “pending” in verification_check.status) you will know if the code entered is correct or not.
That’s super simple!
So that was for the validation of a code by SMS or phone call.
Set up TOTP validation (double authentication)
TOTP is multi-factor authentication. You will see, with Verify it is also super simple.
The first step is to generate a “secret” and possibly a QR Code to scan with an application like Authy or Google Authenticator.
To do this (still in Python in the demo), we will obviously create a connection to the Twilio service as in the previous paragraph, not forgetting to specify the information relating to the TOTP:
service = client.verify.services.create( friendly_name='KORBEN VERIFICATION', code_length=4, totp_code_length=6, totp_time_step=30, totp_skew=2, skip_sms_to_landlines=True, )
Then we will create an entity that will represent our user:
entity = client.verify \ .services(service.sid) \ .entities \ .create(identity='identity') print(entity.sid) print(service.sid)
This entity will have its id (entity.sid) which will be used in setting up double authentication.
To then generate the “secret” that the user will have to enter in his TOTP application, you must create a new factor like this and retrieve the secret contained in new_factor.binding as well as the associated URI.
new_factor = client.verify \ .services(service.sid) \ .entities(entity.sid) \ .new_factors \ .create( friendly_name="Korben's Phone", factor_type='totp' ) print(new_factor.binding['secret']) print(new_factor.binding['uri'])
You can at this level, by referring to the documentation, specify for example the algorithm used (sha1 by default), the renewal time (30 seconds by default), the length of the code, etc.
The obtained secret can then be immediately imported into an application like Authy to obtain the associated 2FA codes (tokens).
To generate a QR code, there are different possible methods depending on your development language. You can also use this site to generate one for your testing. To have a QR Code that works, it will have to be generated from the URI returned at the same time as the secret. This URI looks like this:
As I am using Python, I will use the pyqrcode lib (pip install pyqrcode) and call it like this:
import pyqrcode ... qr = pyqrcode.create(new_factor.binding['uri']) qr.png('qr.png', scale=6)
There you go, I get a nice QR Code to scan with an authentication application.
Then to validate the token returned by Authy, all you have to do is retrieve the code entered by the user (“code” variable in the end of Python below) and validate it with the Verify API. If the status is “verified” it’s all good. If the status is “unverified”, the user cannot be validated.
factor = client.verify.services(service.sid) \ .entities(entity.sid) \ .factors(new_factor.sid) \ .update(auth_payload=code) print(factor.status)
That’s it, I’m done with this introduction to Twilio’s Verify API. As you can see, it’s super easy to learn and it will save you a lot of time.
Regarding the cost, it will of course depend on the volume, but for the SMS channel, it will cost you $0.05 per successful verification + the cost of sending the SMS depending on the country. For the email channel, it will be according to SendGrid pricing . Finally, Push and TOTP channels are included in the verification fee and are charged when a request is approved or denied.