How to Build a 2FA Application the Low-Code Way Using PHLO

Feb 9, 2022

Two-factor authentication (2FA) protects organizations and individuals from unauthorized data access by requiring a level of authentication beyond username and password, to provide added security in the event that those credentials are compromised. One of the simplest ways to institute 2FA types is by sending a one-time password (OTP) sent through a separate communication channel — namely, SMS messaging.

Plivo makes it easy to add 2FA via OTP delivered over SMS to your applications. Whether your applications are coded in Python, Ruby, Node.js, PHP, or C#, we’ve got you covered with language-specific SDKs.

You can create and deploy a PHLO to handle 2FA with a few clicks on the PHLO canvas and trigger it with a few lines of code.

Prerequisites

To get started, you need a Plivo account — sign up with your work email address if you don’t have one already. If this is your first time triggering a PHLO with Node.js, follow our instructions to set up a Node.js development environment.

Create the PHLO

Plivo provides a prototype for 2FA; all you have to do is select the PHLO and give it a friendly name.

Set up the demo application locally

Once you‘ve created the PHLO, download and modify the code to trigger it which is available in 5 different languages which are Python, Ruby, Node.js, PHP, or C#.

Update the config file

Edit the config file. Replace the auth placeholders with your authentication credentials from the Plivo console. Enter your PHLO ID, which you can find on the Plivo console. Replace the phone number placeholder with an actual phone number in E.164 format (for example, +12025551234).

Trigger PHLO

Send SMS and make a call

          def send_verification_code_phlo(self,dst_number,code,mode):
          payload = {
              "from": self.app_number,
              "to": dst_number,
              "otp": code,
              "mode": mode,
          }
          try:
              phlo = self.client_phlo.phlo.get(self.phlo_id)
              response = phlo.run(**payload)
              return response
          except exceptions as e:
              print(e)
              return ("Error encountered", 400)

            public int SendVerificationCodePhlo(String DstNumber, String mode)
          {
            Random r = new Random();
            var code = r.Next(999999);
                  var phloClient = new PhloApi(AuthId, AuthToken);
                  var phloID = PhloId;
                  var phlo = phloClient.Phlo.Get(phloID); 
                  var data = new Dictionary<string, object>
                  {
                      { "from", AppNumber },
                      { "to", DstNumber },
              { "mode", mode },
              { "otp", code },

                  };  
              phlo.Run(data);
                  return code;
            }

            function send_verification_code_phlo($dst_number,$mode)
          {
              $code = random_int(100000, 999999);
              $client = new PhloRestClient($this->config['auth_id'], $this->config['auth_token']);
              try {
                  $phlo = $client->phlo->get($this->config['phlo_id']);
                  $phlo->run(["from" => $this->config['app_number'], "to" => $dst_number, "mode"=>$mode, "otp"=>$code]); // These are the fields entered in the PHLO console
                  return $code;
              } 
              catch (PlivoRestException $ex) {
                  print_r($ex);
              }
          }

            sendVerificationCode_phlo(DstNumber, mode) {
              var payload = {
                  from: this.app_number,
                  to: DstNumber,
                  otp: code,
                  mode: mode
              }
              phloClient = this.phlo_client
              phloClient.phlo(this.phloId).run(payload).then(function() {
                  return code;
              }).catch(function(err) {
                  console.error('Phlo run failed', err);
              });
          }

          var request = require("request");
          var fs = require('fs');
          var url = "https://media.plivo.com/AUTH_ID/Recording/RECORDING_UUID.mp3";
          var file = fs.createWriteStream("file.mp3");
          var request = http.get(url, function(response) {
            response.pipe(file);
            file.on('finish', function() {
                file.close(cb); // close() is async, call cb after close completes.
                });
            }).on('error', function(err) { // Handle errors
                fs.unlink(dest); // Delete the file async. (But we don't check the result)
                if (cb) cb(err.message);
            });
          };

            def initiate_phlo(dst_number, mode)
          code = rand(999_999)
          begin
            phlo = @phloclient.phlo.get(@phlo_id)
            # parameters set in PHLO - params
            params = {
              from: @app_number,
              to: dst_number,
              otp: code,
              mode: mode
            }
            phlo.run(params)
            code
          rescue PlivoRESTError => e
            puts 'Exception: ' + e.message
            end
          end

Verify the OTP

        @app.route("/checkcode/<number>/<code>")
        def check_code(number, code):
            """
            check_code(number, code) accepts a number and the code entered by the user and
            tells if the code entered for that number is correct or not
            """

            original_code = current_app.redis.get("number:%s:code" % number)
            if original_code == code:  # verification successful, delete the code
                current_app.redis.delete("number:%s:code" % number)
                return (jsonify({"status": "success", "message": "codes match, number verified"}),200,)
            elif original_code != code:
                return (
                    jsonify(
                        {
                            "status": "rejected",
                            "message": "codes do not match, number not verified",
                        }
                    ),
                    404,
                )
            else:
                return (jsonify({"status": "failed", "message": "number not found"}), 500)

              public string Index(string number, string code)
            {
              ConnectionMultiplexer redis = ConnectionMultiplexer.Connect(_configuration.GetValue<string>("RedisHost"));
              IDatabase conn = redis.GetDatabase();

              string key = $"number:{number}:code";
              var compare_code = (string)conn.StringGet(key);
    
        if (compare_code == code)
        {
        conn.KeyDelete(key);
        Verification verification = new Verification();
        verification.status = "success";
        verification.message = "Number verified";
        string output = JsonConvert.SerializeObject(verification);
        return output;
        }
        else if(compare_code != code)
        {
         Verification verification = new Verification();
         verification.status = "failure";
         verification.message = "Number not verified";
         string output = JsonConvert.SerializeObject(verification);
         return output;
        }
        			
        else
        {
         Verification verification = new Verification();
         verification.status = "failure";
         verification.message = "number not found";
         string output = JsonConvert.SerializeObject(verification);
         return output;
        }
         }

          get('number:' . $number . ':code');
         
         if ($original_code == $code) {
             $client->del('number:' . $number . ':code');
             echo '{"status": "success", "message": "codes match, number verified"}';
         } elseif ($original_code != $code) {
             echo '{"status": "failure", "message": "codes do not match, number not verified"}';
         } else {
             echo '{"status": "failure", "message": "number not found"}';
         }
         ?>

            router.get('/checkcode/:number/:code', function(req, res) {
          const number = (req.params.number);
          const code = (req.params.code);
          redisClient.get(`number:${number}:code`, function(err, OriginalCode) {
              if (OriginalCode == code) {
                  redisClient.del(`number:${number}:code`);
                  res.send(JSON.stringify({
                      'status': 'success',
                      'message': 'codes match, number verified'
                  }));
              } else if (OriginalCode != code) {
                  res.send(JSON.stringify({
                      'status': 'failure',
                      'message': 'codes do not match, number not verified'
                  }));
              } else {
                  res.send(JSON.stringify({
                      'status': 'failure',
                      'message': 'number not found'
                  }));
              }
          });
          });

          get '/checkcode/:number/:code' do
          ##
          # Validates the code entered by the user
          #
          number = params['number']
          code = params['code']
          original_code = r.get('number:%s:code' % number)
          content_type :json
          if original_code == code
            r.del('number:%s:code' % number)  # verification successful, delete the code
            return { status: 'success', message: 'codes match, number verified' }.to_json
          elsif original_code != code
            return { status: 'failure', message: 'codes do not match, number not verified' }.to_json
          else
            return { status: 'rejected', message: 'number not found' }.to_json
        end

        def initiate_phlo(dst_number, mode)
        code = rand(999_999)
        begin
          phlo = @phloclient.phlo.get(@phlo_id)
          # parameters set in PHLO - params
          params = {
            from: @app_number,
            to: dst_number,
            otp: code,
            mode: mode
          }
          phlo.run(params)
          code
        rescue PlivoRESTError => e
          puts 'Exception: ' + e.message
          end
        end

The finished application should look like this.

Simple and reliable

Edit the sample application to see how simple it was to code. Our simple APIs work in tandem with our comprehensive global network. Plivo’s premium direct routes guarantee highest possible delivery rates and the shortest possible delivery times for your 2FA SMS and voice messages. See for yourself — sign up for a free trial account.