How to Implement 2FA, from Concepts to Code
Complete guide for two-factor authentication with Plivo
Two-factor authentication (2FA) enhances security beyond usernames and passwords. Incorporating a separate, unconnected authentication channel into your product’s authentication process makes it difficult for malicious actors to compromise secure systems.
The second factor used for 2FA can take different forms, including
The second factor used for 2FA can take different forms, including
- one-time passwords (OTP) sent through a separate communication channel such as an SMS text message or a voice call
- biometric factors such as a fingerprint, retina scan, or facial or voice recognition; and
- an authenticator app or hardware token that provides a time-sensitive code.
How does Plivo work?
Plivo is a cloud communications platform that connects your code and the global telecom network. We provide application programming interfaces (API) that let you invoke actions on the Plivo platform. (An API is a set of definitions and protocols that provides an easy, standard way for two applications to communicate with each other.) We carry out actions on your behalf, such as sending and receiving text messages and making and receiving voice calls.
To send an SMS message that provides a user with an OTP, a developer would write code that calls the Plivo Send SMS API. Each API requires certain parameters; in this case, they include
If you’re a developer and comfortable with programming code, our Send SMS API documentation shows you all of the API’s required and optional parameters, and provides code samples.
To send an SMS message that provides a user with an OTP, a developer would write code that calls the Plivo Send SMS API. Each API requires certain parameters; in this case, they include
- an authentication ID and authentication token, the programmatic equivalent of a username and password. Plivo uses these to make sure the program is authorized to use Plivo services in general and the organization’s data in particular.
- a source number — the phone number that should appear on the recipient’s handset to show where it was sent from.
- a destination number — the phone number of the recipient.
- message text — the body of the message, which in the case of 2FA might say something like “Your security code is 123456. Enter this six-digit number on your login screen.”
If you’re a developer and comfortable with programming code, our Send SMS API documentation shows you all of the API’s required and optional parameters, and provides code samples.
What happens when you run the program that calls the API?
When you call an API from your program, the data gets sent to Plivo. Our platform validates it (using the authentication parameters provided), examines the values sent, and decides what to do with the data. In the case of a valid Send SMS call, Plivo connects to the telecommunications network, and specifically to a carrier in the country in which the recipient’s phone number is provisioned. It sends the text as if it were coming from a handset associated with the specified source number. It then awaits confirmation that the text was sent to and/or received by the recipient. Depending on what optional parameters a developer specified, it might report that status information back to the calling program. Even if it doesn’t, Plivo keeps a record of the status, which is available to organizations in the form of call logs on the Plivo console. Plivo also debits our customer’s account for the cost of sending a text message toward someone in the specified country.
Can you send text messages from a program without using a cloud communications platform?
Going through Plivo lets you avoid having to set up and maintain a relationship with telecom carriers yourself. While theoretically you could do it yourself, no organization can afford to take developer resources away from the systems that make their businesses unique and devote them instead to what amounts to creating basic infrastructure, given that communications platforms as a service (CPaaS) exist.
Beyond ease of use and faster time to market, a CPaaS like Plivo also makes sure your organization stays compliant with country and carrier regulations, such as allowed sending times; hourly, daily, and weekly sending rate limits; and approved content templates. It’s also cost-effective, in that you have no hardware to procure and manage, and you pay only for the texts you send and phone numbers you rent to support your use cases.
Beyond ease of use and faster time to market, a CPaaS like Plivo also makes sure your organization stays compliant with country and carrier regulations, such as allowed sending times; hourly, daily, and weekly sending rate limits; and approved content templates. It’s also cost-effective, in that you have no hardware to procure and manage, and you pay only for the texts you send and phone numbers you rent to support your use cases.
What does calling an API look like?
If you’re interested in the technical aspects of calling an API, here’s an example. The cURL request to call Plivo's API for sending a 2FA message would look something like this:
In this command
Plivo supports all these features with software development kits. An SDK is a set of tools that help developers use our APIs to integrate their applications with Plivo. We offer SDKs for seven popular languages:
In this command, the answer URL has a Plivo Speak XML element that reads out the OTP to the customer.
curl -i --user auth_id:auth_token \
-H "Content-Type: application/json" \
-d '{"src": "<from_number>", "dst": "<to_number>", "text": "Your Plivo verification code is 123456", "url":"https://<yourdomain>.com/sms_status/"}' \
https://api.plivo.com/v1/Account/{auth_id}/Message/
In this command
auth_id
andauth_token
are your Plivo API credentials, which you can find on the console.src
is the sender from which you want your customers to receive the OTP.dst
is the phone number or numbers that you want the code to be sent to.text
is the content that you want to send.url
is an optional parameter that you can use to configure callbacks.
Plivo supports all these features with software development kits. An SDK is a set of tools that help developers use our APIs to integrate their applications with Plivo. We offer SDKs for seven popular languages:
- Python
- JavaScript (Node.js)
- Java
- Ruby
- PHP
- C# (.NET)
- Go
curl -i --user AUTH_ID:AUTH_TOKEN \
-H "Content-Type: application/json" \
-d '{"from": "<from_number>", "to": "<to_numbers>", "answer_url": "https://<yourdomain>.com/xmldir/spearline.xml", "answer_method": "GET"}' \
https://api.plivo.com/v1/Account/{auth_id}/Call/
In this command, the answer URL has a Plivo Speak XML element that reads out the OTP to the customer.
Why choose Plivo for 2FA?
Many cloud communications platforms let businesses offer 2FA, but Plivo has some advantages over other platforms.
High deliverability
Plivo deploys simulated handsets as test nodes, provisioned with real phone numbers from operators local to each region. We send messages to these test nodes, and the results we receive back help our dynamic routing engine intelligently route messages around delays to ensure deliverability.
High reliability
The Plivo platform is exceptionally stable. You can check our record for the past month by visiting our status page.
Low costs
Costs differ by country and by the number type you use, but if you compare our SMS API prices against those of other CPaaS, chances are we’re going to be better for your budget. And we’re fully transparent about our pricing, unlike some platforms that require you to talk to a salesperson.
Global reach
Plivo’s Premium Communications Network includes more than 1,600 carriers in 190+ countries around the world.
Comprehensive documentation
Time and again we hear from users that our documentation helped them get started quickly and answered most of their questions.
White-glove support
For those occasions when you need individual help, our support team stands ready. We offer free basic support through our support portal around the clock on weekdays, and have premium support plans that offer coverage with guaranteed response times, phone and Slack conversations, and weekend support.
If all of that sounds good but you don’t believe anything until you see it yourself, take advantage of our free trial. Sign up for free and we’ll give you credits so you can build your own proof-of-concept application.
High deliverability
Plivo deploys simulated handsets as test nodes, provisioned with real phone numbers from operators local to each region. We send messages to these test nodes, and the results we receive back help our dynamic routing engine intelligently route messages around delays to ensure deliverability.
High reliability
The Plivo platform is exceptionally stable. You can check our record for the past month by visiting our status page.
Low costs
Costs differ by country and by the number type you use, but if you compare our SMS API prices against those of other CPaaS, chances are we’re going to be better for your budget. And we’re fully transparent about our pricing, unlike some platforms that require you to talk to a salesperson.
Global reach
Plivo’s Premium Communications Network includes more than 1,600 carriers in 190+ countries around the world.
Comprehensive documentation
Time and again we hear from users that our documentation helped them get started quickly and answered most of their questions.
White-glove support
For those occasions when you need individual help, our support team stands ready. We offer free basic support through our support portal around the clock on weekdays, and have premium support plans that offer coverage with guaranteed response times, phone and Slack conversations, and weekend support.
If all of that sounds good but you don’t believe anything until you see it yourself, take advantage of our free trial. Sign up for free and we’ll give you credits so you can build your own proof-of-concept application.