Two-factor authentication (2FA) can play a key role in securing your applications against password data breaches. Authentication with a one-time password (OTP) delivered to your users over SMS is an effective approach to implementing two-factor authentication. Plivo’s premium direct routes guarantee the highest possible delivery rates and the shortest possible delivery times for your 2FA SMS messages.
This guide shows how to set up SMS-based two-factor authentication using either PHLO or traditional API development. PHLO lets you create and deploy workflows from an intuitive graphical canvas in few clicks.
You can create and deploy a PHLO to handle 2FA with a few clicks on the PHLO canvas and trigger it with a few lines of code.
To get started, you need a Plivo account — sign up with your work email address if you don’t have one already. If this is your first time triggering a PHLO with .NET, follow our instructions to set up a .NET development environment.
Plivo provides a prototype for 2FA; all you have to do is select the PHLO and give it a friendly name.
Once you‘ve created the PHLO, download and modify the code to trigger it.
$ git clone https://github.com/plivo/2fa-dotnet-demo.git
$ cd 2fa-dotnet-demo
Open the 2fa folder in Visual Studio.
Edit appsettings.json. Replace the auth placeholders with your authentication credentials from the Plivo console. Enter your PHLO ID, which you can find on the Plivo console. Replace the phone number placeholder with an actual phone number in E.164 format (for example, +12025551234).
Let‘s walk through what the code does.
We use the Time-Based OTP algorithm to generate a random six-digit one-time password (OTP).
1
2
Random r = new Random();
var code = r.Next(999999);
With a single function, we can send an SMS message or make a call via PHLO (in the event the initial SMS message never arrives). The argument that tells PHLO whether to send an SMS message or make a call is mode, and the allowed values passed to it are sms and call.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
public int SendVerificationCodePhlo(String DstNumber, String mode)
{
Random r = new Random();
var code = r.Next(999999);
var phloClient = new PhloApi(AuthId, AuthToken);
var phloID = PhloId;
var phlo = phloClient.Phlo.Get(phloID);
var data = new Dictionary<string, object>
{
{ "from", AppNumber },
{ "to", DstNumber },
{ "mode", mode },
{ "otp", code },
};
phlo.Run(data);
return code;
}
We verify the OTP the user enters on their handset.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
public string Index(string number, string code)
{
ConnectionMultiplexer redis = ConnectionMultiplexer.Connect(_configuration.GetValue<string>("RedisHost"));
IDatabase conn = redis.GetDatabase();
string key = $"number:{number}:code";
var compare_code = (string)conn.StringGet(key);
if (compare_code == code)
{
conn.KeyDelete(key);
Verification verification = new Verification();
verification.status = "success";
verification.message = "Number verified";
string output = JsonConvert.SerializeObject(verification);
return output;
}
else if(compare_code != code)
{
Verification verification = new Verification();
verification.status = "failure";
verification.message = "Number not verified";
string output = JsonConvert.SerializeObject(verification);
return output;
}
else
{
Verification verification = new Verification();
verification.status = "failure";
verification.message = "number not found";
string output = JsonConvert.SerializeObject(verification);
return output;
}
}
To test the application, start the Redis server.
$ redis-server
Build and run the application from Visual Studio. Set up ngrok to expose your local server to the internet.
You should be able to see the application in action at https://<ngrok_identifier>.ngrok.io/.
The finished application should look like this.
Here’s how to implement 2FA using Plivo APIs.
To get started, you need a Plivo account — sign up with your work email address if you don’t have one already. If this is your first time using Plivo APIs, follow our instructions to set up a .NET development environment.
$ git clone https://github.com/plivo/2fa-dotnet-demo.git
$ cd 2fa-dotnet-demo
Open the 2fa folder in Visual Studio.
Edit appsettings.json. Replace the auth placeholders with your authentication credentials from the Plivo console. Replace the phone number placeholder with an actual phone number in E.164 format (for example, +12025551234). Replace the PHLO ID with null.
Let‘s walk through what the code does.
Use the Time-Based OTP algorithm to generate a random six-digit one-time password (OTP).
1
2
Random r = new Random();
var code = r.Next(999999);
Send an SMS message with the OTP to the user’s registered mobile number using Plivo’s Send Message API.
1
2
3
4
5
6
7
8
9
10
public int SendVerificationCodeSms(String DstNumber, String Message)
{
Random r = new Random();
var code = r.Next(999999);
var response = Client.Message.Create(
src: AppNumber,
dst: DstNumber,
text: Message.Replace("__code__", code.ToString()));
return code;
}
If the SMS message doesn’t reach the mobile device, the user can request a voice OTP.
1
2
3
4
5
6
7
8
9
10
11
public int SendVerificationCodeCall(String DstNumber)
{
Random r = new Random();
var code = r.Next(999999);
var response = Client.Call.Create(
to:new List<String>{DstNumber},
from:AppNumber,
answerMethod:"POST",
answerUrl:"https://twofa-answerurl.herokuapp.com/answer_url/"+code);
return code;
}
Verify the OTP the user entered on their handset.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
public string Index(string number, string code)
{
ConnectionMultiplexer redis = ConnectionMultiplexer.Connect(_configuration.GetValue<string>("RedisHost"));
IDatabase conn = redis.GetDatabase();
string key = $"number:{number}:code";
var compare_code = (string)conn.StringGet(key);
if (compare_code == code)
{
conn.KeyDelete(key);
Verification verification = new Verification();
verification.status = "success";
verification.message = "Number verified";
string output = JsonConvert.SerializeObject(verification);
return output;
}
else if(compare_code != code)
{
Verification verification = new Verification();
verification.status = "failure";
verification.message = "Number not verified";
string output = JsonConvert.SerializeObject(verification);
return output;
}
else
{
Verification verification = new Verification();
verification.status = "failure";
verification.message = "number not found";
string output = JsonConvert.SerializeObject(verification);
return output;
}
}
To test the application, start the Redis server.
$ redis-server
Build and run the application from Visual Studio.
Set up ngrok to expose your local server to the internet.
You should be able to see the application in action at https://<ngrok_identifier>.ngrok.io/.
The finished application should look like this.