How to Implement Two-Factor Authentication (2FA) in Seconds?

Complete guide for two-factor authentication with Plivo

Two-factor authentication (2FA) enhances security beyond usernames and passwords. Incorporating a separate, unconnected authentication channel into your product’s authentication process makes it difficult for malicious actors to compromise secure systems.

Different Forms of 2FA: How to Implement Two-Factor Authentication

The second factor used for 2FA can take different forms, including

  • one-time passwords (OTP) sent through a separate communication channel such as an SMS text message or a voice call
  • biometric factors such as a fingerprint, retina scan, or facial or voice recognition; and
  • an authenticator app or hardware token that provides a time-sensitive code.

Leveraging Plivo for 2FA Implementation with OTPs

Plivo provides the first approach, letting you implement one-time passwords sent on demand, typically via text message. Using SMS for OTPs works well in today’s world, where virtually everyone carries a mobile device, and it’s simpler than requiring consumers to download an app and run it every time they want to retrieve an authentication code. Plivo Voice API also provides a way to send OTPs via voice call, using automated text-to-speech technology to read passwords to recipients. In fact, you can use voice as a fallback channel should an SMS OTP fail for any reason.

Sending SMS OTPs: How to Implement 2FA with Plivo’s API

Plivo is a cloud communications platform that connects your code and the global telecom network. We provide application programming interfaces (API) that let you invoke actions on the Plivo platform. (An API is a set of definitions and protocols that provides an easy, standard way for two applications to communicate with each other.) We carry out actions on your behalf, such as sending and receiving text messages and making and receiving voice calls.

To send an SMS message that provides a user with an OTP, a developer would write code that calls the Plivo Send SMS API. Each API requires certain parameters; in this case, they include

  • an authentication ID and authentication token, the programmatic equivalent of a username and password. Plivo uses these to make sure the program is authorized to use Plivo services in general and the organization’s data in particular.
  • a source number — the phone number that should appear on the recipient’s handset to show where it was sent from.
  • a destination number — the phone number of the recipient.
  • message text — the body of the message, which in the case of 2FA might say something like “Your security code is 123456. Enter this six-digit number on your login screen.”

Advanced Capabilities of Plivo’s 2FA API

That’s the simple case — you can also take advantage of more advanced capabilities like sending images, sending to multiple recipients, and expiring messages that aren’t received within a specified time so you’re not charged for them. You can also redact sensitive information such as part of the destination number and the message content if you have privacy constraints.

If you’re a developer and comfortable with programming code, our Send SMS API documentation shows you all of the API’s required and optional parameters, and provides code samples.

Behind the Scenes: How Plivo’s 2FA API Works?

When you call an API from your program, the data gets sent to Plivo. Our platform validates it (using the authentication parameters provided), examines the values sent, and decides what to do with the data. In the case of a valid Send SMS call, Plivo connects to the telecommunications network, and specifically to a carrier in the country in which the recipient’s phone number is provisioned. It sends the text as if it were coming from a handset associated with the specified source number. It then awaits confirmation that the text was sent to and/or received by the recipient.

Depending on what optional parameters a developer specified, it might report that status information back to the calling program. Even if it doesn’t, Plivo keeps a record of the status, which is available to organizations in the form of call logs on the Plivo console. Plivo also debits our customer’s account for the cost of sending a text message toward someone in the specified country.

Why Use Plivo’s 2FA API for Implementing Two-Factor Authentication?

Going through Plivo lets you avoid having to set up and maintain a relationship with telecom carriers yourself. While theoretically you could do it yourself, no organization can afford to take developer resources away from the systems that make their businesses unique and devote them instead to what amounts to creating basic infrastructure, given that communications platforms as a service (CPaaS) exist.

Beyond ease of use and faster time to market, a CPaaS like Plivo also makes sure your organization stays compliant with country and carrier regulations, such as allowed sending times; hourly, daily, and weekly sending rate limits; and approved content templates. It’s also cost-effective, in that you have no hardware to procure and manage, and you pay only for the texts you send and phone numbers you rent to support your use cases.

Technical Walkthrough: Calling Plivo’s 2FA API

If you’re interested in the technical aspects of calling an API, here’s an example. The cURL request to call Plivo's API for sending a 2FA message would look something like this:

curl -i --user auth_id:auth_token \
-H "Content-Type: application/json" \
-d '{"src": "<from_number>", "dst": "<to_number>", "text": "Your Plivo verification code is 123456", "url":"https://<yourdomain>.com/sms_status/"}' \
https://api.plivo.com/v1/Account/{auth_id}/Message/

In this command

  • auth_id and auth_token are your Plivo API credentials, which you can find on the console.
  • src is the sender from which you want your customers to receive the OTP.
  • dst is the phone number or numbers that you want the code to be sent to.
  • text is the content that you want to send.
  • url is an optional parameter that you can use to configure callbacks.

When you execute this code, Plivo queues your message to be sent to the destination numbers. You can check whether your message was delivered by incorporating an HTTP callback in the sending code. Callbacks, a.k.a. event-based webhooks, let you track message delivery status. If your callback fails to return a status of “delivered” within a certain period of time, you could send the message again.

Utilizing SDKs for Easy 2FA Implementation

Plivo supports all these features with software development kits. An SDK is a set of tools that help developers use our APIs to integrate their applications with Plivo. We offer SDKs for seven popular languages:

  • Python
  • JavaScript (Node.js)
  • Java
  • Ruby
  • PHP
  • C# (.NET)
  • Go

Enhancing 2FA with Voice OTPs Using Plivo’s API

Suppose your SMS-based OTP failed after a resend. It’s prudent to give people the option of requesting the code be sent via a voice call. With that option, the CPaaS generates a code, calls the requester, and reads the code over the phone using text-to-speech software. Because Plivo offers both a messaging and a voice API, it’s easy to code voice OTPs, as in this cURL example.

curl -i --user AUTH_ID:AUTH_TOKEN \
-H "Content-Type: application/json" \
-d '{"from": "<from_number>", "to": "<to_numbers>", "answer_url": "https://<yourdomain>.com/xmldir/spearline.xml", "answer_method": "GET"}' \
https://api.plivo.com/v1/Account/{auth_id}/Call/

In this command, the answer URL has a Plivo Speak XML element that reads out the OTP to the customer.

Why Choose Plivo’s 2FA API for Implementing Two-Factor Authentication?

Many cloud communications platforms let businesses offer 2FA, but Plivo has some advantages over other platforms.

High deliverability: Plivo deploys simulated handsets as test nodes, provisioned with real phone numbers from operators local to each region. We send messages to these test nodes, and the results we receive back help our dynamic routing engine intelligently route messages around delays to ensure deliverability.

Download our free e-book on choosing the right 2FA vendor and enhance your security strategy!

High reliability: The Plivo platform is exceptionally stable. You can check our record for the past month by visiting our status page.

Low costs: Costs differ by country and by the number type you use, but if you compare our SMS API prices against those of other CPaaS, chances are we’re going to be better for your budget. And we’re fully transparent about our pricing, unlike some platforms that require you to talk to a salesperson.

Global reach: Plivo’s Premium Communications Network includes more than 1,600 carriers in 190+ countries around the world.

Comprehensive documentation: Time and again we hear from users that our documentation helped them get started quickly and answered most of their questions.

White-glove support: For those occasions when you need individual help, our support team stands ready. We offer free basic support through our support portal around the clock on weekdays, and have premium support plans that offer coverage with guaranteed response times, phone and Slack conversations, and weekend support.

If all of that sounds good but you don’t believe anything until you see it yourself, take advantage of our free trial. Sign up for free and we’ll give you credits so you can build your own proof-of-concept application.