What is Two-factor authentication (2FA)?

Have you ever had a bank send you a text message with a one-time passcode to confirm your login credentials? That's an example of two-factor authentication (2FA) in action.

2FA is a way to increase security by adding a second authentication method. This makes it harder for someone to hack into user accounts. In practice, the way it typically works is that a user will first log in through entering their username and password. After that, the user is prompted to enter their phone number and receive a text message with a code or receive a phone call and voice message with a code. The user is prompted to enter their code. If their entry matches what they were sent,, the user is fully authenticated and logged into the product home screen.

Increased security is better at protecting companies’ data, which is beneficial for the company and end users. Fewer user account hacks due to weak passwords means that companies save on support resources andsecurity resources otherwise spent investigating problems. And of course, for end-users, it brings more peace of mind knowing that they will avoid the hassle of compromised data, resetting passwords, and figuring out how to create normalcy again. By implementing 2FA, the chances of a user account getting hacked are reduced dramatically.

How to enable 2FA

Two common ways to enable 2FA are to set it up using SMS and using voice. For this example, we’ll focus on SMS, because SMS is a very popular method for setting up two-factor authentication. Using an SMS API, you can build all of the functionality yourself in your own code. Or you can use an API like the 8x8 Mobile Verification API to get up and running quicker. We’ll focus on this because it will save you a lot of development time. 

Step 1: Sign up and get your API key and Subaccount ID

Go to the 8x8 SMS API sign up page and create an account. Verify your account from your email. Then, navigate in the portal to the API keys page to find your API key and Subaccount ID. 

Step 2: Edit the curl code template for sending the OTP code

To generate and send the one-time passcode (OTP) in your 2FA flow, use this curl code as a template. 

curl -i -X "POST" https://api.wavecell.com/verify/v1/amazing_hq -H "Authorization: Bearer OiLc1xKaghw3sD*********WtLQn4WjvOww" -H "Content-Type: application/json" -d $'{ "destination": "98765432", "country": "SG", "productName": "Amazing Product" }'

Here’s what you need to customize in the above template for your specific implementation:

  • Amazing_hq - swap that out with your subaccount ID
  • OiLc1xKaghw3sD*********WtLQn4WjvOww - replace this with your API key
  • 98765432 - put in the phone number you want to send the 2FA message to
  • SG - enter the country code of the phone number you’re sending to
  • Amazing Product - replace this with the company name or product name you want showing up in the 2FA text message

Step 3: Edit the curl code template for verifying the user inputs the correct code

To verify the user inputs the correct code into your login process, use this curl code template.

curl -X GET 'https://api.wavecell.com/verify/v2/amazing_hq/c96a488d-5704-459e-9dee-3dd8138b3a52?code=7085' -H "Authorization: Bearer OiLc1xKaghw3sD*********WtLQn4WjvOww"

Customize the above code in these ways to make it work for your account:

  • Amazing_hq - swap that out with your subaccount ID
  • C96a488d-5704-459e-9dee-3dd8138b3a52 - swap the uid, the unique identifier returned by the API call from the previous step
  • 7085 - replace this with the code value returned by the API call from the previous step
  • OiLc1xKaghw3sD*********WtLQn4WjvOww - replace this with your API key

Step 4: Check if the status returned is Verified

When you run the code from the last step, the JSON response will look like this:

{ "uid": "c96a488d-5704-459e-9dee-3dd8138b3a52", "resourceUri": "/verify/v2/amazing_hq/aa0fb28141bd4bedae848f9615b0221e", "msisdn": 6598765432, "status": "VERIFIED", "attempt": 0, "expiresAt": "2017-08-29T21:43:26.641256+00:00", "nextSmsAfter": "2017-08-29T21:38:36.641256+00:00" }

If the status is listed as VERIFIED, then the user has successfully received and inputted the correct OTP code. Now it’s safe to allow them to authenticate into your product and you’re all done! You’ve successfully enabled 2FA in your product.

Examples of companies using 2FA

There are many companies using 2FA to increase security. Here are a few examples from 8x8 customers:

  • Monex, a leading futures broker in Indonesia, not only uses SMS for its two-factor authentication, but it also uses it to keep customers abreast of the latest market trends and news.
  • Traveloka is a leading hotel and flight booking platform in Southeast Asia. 8x8’s messaging solutions support their one-time passcodes, promotions, and SMS notification efforts.
  • Tokopedia, a leading marketplace in Indonesia, uses SMS for mobile verification, as well as notifying customers of its deliveries and upcoming promotions.
  • 8x8’s messaging solution helps Paidy, a Japan-based fintech company, to enable two-factor authentication and notify their users within seconds.

Enabling 2FA is easy to implement and has great benefits for companies. Sign up now to try it out, or check out the documentation to learn more.