Two-factor Authentication in RDMLX using Twilio’s Authy

by | Dec 4, 2017

What is Two-Factor Authentication (2FA)?

In short, it’s an authentication mechanism that relies on an additional factor, in addition to username/password. It’s very likely that you would have personally experienced at least one form of two-factor authentication as 2FA is commonly employed in banking apps on smartphones. The second authentication factor is generally a one-time token that’s sent as a text message to your mobile number, or generated using an app that you need to install on your smartphone.

 

 

 

 

 

Twilio’s Authy is one of the popular services that let you easily send one-time tokens to your end-users using text messages (SMS) or push notifications. This article will show you how to create and setup a Twilio account (free trial – no credit card required), and how to invoke the service using the Web API Client Library.

Download the Latest Web API Client Library

The latest Web API Client Library contains the following components that demonstrate how to use Twilio’s Authy for two-factor authentication:

  • XWebApi_TwilioAuthy
    Authy client that encapsulates the core Authy functionality.
  • xDemoAuthy2FAWebPage
    A web page that demonstrates the usage of XWebApi_TwilioAuthy.
  • xDemoAuthy2FAServerModule
    A server module that demonstrates the usage of XWebApi_TwilioAuthy
  • xDemoWebApiUserAccount
    A database table used in the demonstration. The table stores the user account details (emails, phone numbers, password hashes).

Download the latest Web API Client Library from the following URL:
https://developer.lansa.com/files/WebApiClientLibrary.zip

Also, Password Hashing…

In addition to two-factor authentication, the example also demonstrates how to properly hash user passwords for storage in the database.

Have a look at the following two methods in the xDemoAuthy2FAServerModule:

  • ComputePasswordHash
  • VerifyPassword

XWebApi_TwilioAuthy Component

This component allows you to do the following:

  • Register a user’s phone number (recipient of authentication tokens).
    The registration process returns an Authy ID, which needs to be stored in the user database table, associated with a user that owns the phone number.
  • Deliver authentication token via SMS or mobile app.
  • Deliver authentication token via voice call.
  • Verify authentication tokens provided by end-users.

Have a look at the xDemoAuthy2FAWebPage web page for demonstration of usage.

Creating and Configuring Your Twilio Account

Before you can run the example and send 2-FA messages, you would need to create and configure your Twilio account.

Navigate to this URL:
https://www.twilio.com/authy

Click on the Sign up and start building button.

You will be asked to enter a mobile number to verify that you are not a robot.
You can also ask for a voice verification if you don’t want to use your mobile number. To do that, click on the we call you instead link.

You will now be presented with the create project screen. Make up a name and enter it:

Setting up an Authy Project

In order to use Authy 2-factor authentication, you would need to create an Authy application inside your Twilio project.

From your project’s dashboard, go to the Get Start with Twilio pane, click on the drop-down and choose Authy. Click on the Get Started button.

You will need to verify your phone number again.

Finally you are asked to enter your application now.

Note that this name will appear in the messages sent to the end-users, so make sure that you choose an appropriate name.

On the next screen “3. Next Steps”, click on the Setup App button.

You should be all setup now to use Authy’s 2-factor authentication feature.

Navigating to Your Authy Apps from the Twilio Dashboard

To go to your Authy apps, click on the Authy tab on the left navigation pane.

You should be presented with your newly created Authy app.

Retrieving your Authy API Key

The last step you need to do before you can send an authentication token using RDMLX is to retrieve your Authy API key (you need to specify this API key in your RDMLX source code).

Go to your Authy application list and click your newly created application:

You should see the Settings link on the left navigation pane:

Click on the Settings link. Under General Settings you should see the Production API Key.

Click to reveal the API key. You can then select it an copy it to the clipboard.

Inserting the Authy API Key to WebApi_CommonInfo

Go to your LANSA IDE and open the WebApi_CommonInfo component.

Look for the TwilioAuthyApiKey method. Replace the placeholder text with your actual API key copied in the previous step.

Run The Example…

Compile all the components in the Web API Client Library.

Run the xDemoAuthy2FAWebPage web page. You should see a webpage that has 2 sections. The left side lets you register a user, and the right side is where you test the login process with 2-factor authentication.

SMS vs Mobile App

By default, your Authy account is setup so that it first checks if the Authy mobile app is installed on the end-user’s phone. If the app is installed, Authy server will send a push notification to the app, which will ask the user to open the app and generate the authentication token. No SMS will be sent.

If Authy determines that the mobile app is not installed, it will use SMS as a fallback. There are settings to change this if this is not the desired behaviour.

The Authy app for phones can be downloaded from App Store/Google Play.

Have a look also at this Authy blog below about your options and the limitations/security risks of using SMS vs locally generated tokens (using smartphone apps).

https://authy.com/blog/security-of-sms-for-2fa-what-are-your-options/