An Overview of Two-Factor Authentication (2FA)
Have you ever had a bank send you a text message with a one time passcode to confirm your login credentials? That's an example of two factor authentication (2FA) in action.
2FA is a way to increase security by adding a second authentication method. This makes it harder for someone to hack into user accounts. In practice, the way it typically works is that a user will first log in through entering their username and password. After that has been correctly inputted, the user will be prompted to enter their phone number to receive a text message with a code or have their phone called and hear a voice message that verbally shares a code. The user is prompted to enter the code they just received. If their entry matches what was sent to them, then the user is authenticated and logged in to the home screen of the product.
Increasing security protects companies’ data better, and that is beneficial to the company and the end user. Less user account hacks due to weak passwords means that companies have to spend less company support resources speaking with hacked customers and less security resources to investigate the problems. And of course, for end users, it brings more peace of mind knowing that they will avoid the hassle of seeing what was compromised, resetting passwords, and figuring out how to create normalcy again. By implementing 2FA, the chances of a user account getting hacked is reduced dramatically.
Benefits
- Fast time to implement, with just a few lines of code
- Get support anytime - it’s available to everyone 24/7
- Reach customers anywhere with a reliable, fast global network that was built in Asia, so it can handle complex networks
- Prevent spammers and fraudulent transactions through 2FA
Benefits
- Fast time to implement, with just a few lines of code
- Get support anytime - it’s available to everyone 24/7
- Reach customers anywhere with a reliable, fast global network that was built in Asia, so it can handle complex networks
- Prevent spammers and fraudulent transactions through 2FA
Examples of companies using it
Monex, a leading futures broker in Indonesia, not only uses SMS for its two-factor authentication but also uses it to keep customers abreast of the latest market trends and news.
Traveloka is a leading hotel and flight booking platform in Southeast Asia. 8x8’s messaging solutions support their one-time passcodes, promotions, and SMS notification efforts.
Tokopedia, a leading marketplace in Indonesia, uses SMS for mobile verification, as well as notifying customers of its deliveries and upcoming promotions.
8x8’s messaging solution helps Paidy, a Japan-based fintech company, to enable two-factor authentication and notify their users within seconds.
Monex, a leading futures broker in Indonesia, not only uses SMS for its two-factor authentication but also uses it to keep customers abreast of the latest market trends and news.
Traveloka is a leading hotel and flight booking platform in Southeast Asia. 8x8’s messaging solutions support their one-time passcodes, promotions, and SMS notification efforts.
Tokopedia, a leading marketplace in Indonesia, uses SMS for mobile verification, as well as notifying customers of its deliveries and upcoming promotions.
8x8’s messaging solution helps Paidy, a Japan-based fintech company, to enable two-factor authentication and notify their users within seconds.
Monex, a leading futures broker in Indonesia, not only uses SMS for its two-factor authentication but also uses it to keep customers abreast of the latest market trends and news.
Traveloka is a leading hotel and flight booking platform in Southeast Asia. 8x8’s messaging solutions support their one-time passcodes, promotions, and SMS notification efforts.
Tokopedia, a leading marketplace in Indonesia, uses SMS for mobile verification, as well as notifying customers of its deliveries and upcoming promotions.
8x8’s messaging solution helps Paidy, a Japan-based fintech company, to enable two-factor authentication and notify their users within seconds.
Features
| Core Features | |
| Send one-time passcodes (OTP) via SMS or voice | Send an SMS or voice OTP with a 3-10 character code for verification |
| Sender/Caller ID | Customise the sender ID or caller ID that appear on users' devices. |
| Verified Sender | Get your brand's own verified account to improve the credibility of your messaging account after activating Google Verified SMS |
| Intelligent Routing | The system will automatically select the best available routes including automated fallbacks to other alternatives to ensure quality of service, deliverability and latency |
| Auto Adaptation | Messages, phone number formats and Sender IDs are automatically adapted to ensure successful delivery. For Chat Apps, rich media is adapted accordingly |
| Programmatic History Retrieval | Retrieve your API history programmatically to import your data and create your own reports |
| Customisable Fields in API | Specify custom fields such as contact name or order number in your messages via our API or Campaign Manager |
| Number Lookup | Clean your database and step up on anti-fraud measures by checking the validity of phone numbers and their current locations |
| No Download Required | Communicate with customers without needing them to download any additional apps |
| Content Localization Compatibility | The voice can be used in 45 local languages, SMS can use special encodings to send messages containing local characters (e.g. Thai characters, European accents, etc.) |
| Virtual Phone Numbers | Virtual phone numbers allow communications to take place privately and securely, without revealing private information. |
| Reporting and Analytics | |
| Messages Sent | Observe trends on total messages sent on the Customer Portal or through API callbacks |
| Message and Call Status | Obtain message delivery/call status records of incoming or outgoing messages via Customer Portal or customized callback URLs |
| Read Receipts | Obtain read receipts for select channels throguh callback URLs or Customer Portal reports after activating Google Verified SMS |
| Individual Communication Logs | Easily access communication logs through the Customer Portal or API callbacks |
| Destination Countries | Analyse destination countries of messages through Customer Portal dashboard |
| Integrations | |
| Zendesk | Add mobile verification messaging from within your Zendesk app |
| Zapier | Connect your apps on Zapier and create custom 8x8 Zaps |
| Workato | Integrate mobile verification messaging with Workato's workflows |
| Shortcuts | Add mobile verification messaging on your Apple Shortcuts |
| Security and Compliance | |
| Private Network | Private network, with 3 levels of restricted subnets |
| Limited Access | Strict permission policies, access only over secured methods |
| Encryption | All requests use HTTPS/TLS encryption (IPSec connection supported if needed) |
| Reliability | 99.993% uptime, with redundancy over multiple app-servers |
| Monitoring | Automated testing and alerting systems, with 24/7 monitoring by operations team |
| GDPR Compliance | Platform fully compliant with General Data Protection Regulation (GDPR) requirements when handling personal data of clients and end users |
| Support | |
| 24/7/365 Support | Round the clock support to solve any issues you may face |
| Local Presence | Worldwide presence to ensure local reliability |
Mobile Verification API Parameters that can be Modified
You can send a simple request body that only contains the phone number you’re sending to. However, you can optionally add many more parameters to modify the standard message sent and its characteristics.
| Destination | The phone number you’re sending to. It can be with or without the international prefix for the country of the phone number |
| Channel | Designates whether the mobile verification request should be sent via SMS text or via a voice call |
| Country | The country code of the phone number you’re sending to if the destination is specified without an international prefix |
| Template | Defines the message body template of the message if you choose to modify the standard template |
| Brand | The brand parameter can be inserted in the message body to show the company it’s coming from |
| Code length | The number of characters for the one-time passcode |
| Code validity | The time in seconds that the one-time passcode is valid for before it expires |
| Code type | The type of characters used for the code. Options include numeric, numeric with dash, alphanumeric, all capital alphanumeric, and easy to read alphanumeric. |
| Language | The language of voice to read the text to the end user when a voice call is specified as the channel |
| Source | The from address that is used when delivering an SMS text or the caller ID when delivering a voice call. It can be alphanumeric or numeric, depending on the country. |
| Voice Profile | Designates the voice, gender, and accent to be used in the voice call |
| Speed | The speed at which the speech in the voice call is spoken |
| Repetition | The number of times to repeat the content in the voice call |
| Reset Session | If another code is requested during the validity period, this determines if the same code or a new code will be sent |
| Resending Interval | A time interval in seconds that is defined to avoid sending multiple codes to the same number in the given time interval |
| Encoding | The character set encoding to be used when sending an SMS text. The API can analyze the text message body and automatically choose the correct encoding, or GSM7 or UCS2 can be manually selected. |
| API Key | The specific API key from the portal that is to be used for the API request |
| Subaccount ID | The specific subaccount ID from the portal that is to be used for the API request |
How to Enable Mobile Verification API
Sign up and get your API key and Subaccount ID
Two common ways to enable 2FA is to set it up using SMS or using voice. For this example, we’ll focus on SMS, because SMS is a very popular method for setting up two factor authentication. Using an SMS API, you can build all of the functionality yourself in your own code. Or you can use an API like the 8x8 Mobile Verification API to get up and running quicker. We’ll focus on this because it will save you a lot of development time.
- Go to the 8x8 SMS API sign up page and create an account.
- Verify your account from your email.
- Then navigate in the portal to the API keys page to find your API key and Subaccount ID.
Sign up and get your API key and Subaccount ID
Two common ways to enable 2FA is to set it up using SMS or using voice. For this example, we’ll focus on SMS, because SMS is a very popular method for setting up two factor authentication. Using an SMS API, you can build all of the functionality yourself in your own code. Or you can use an API like the 8x8 Mobile Verification API to get up and running quicker. We’ll focus on this because it will save you a lot of development time.
- Go to the 8x8 SMS API sign up page and create an account.
- Verify your account from your email.
- Then navigate in the portal to the API keys page to find your API key and Subaccount ID.
Edit the curl code template for sending the OTP code
To generate and send the one time passcode (OTP) in your 2FA flow, use this curl code as a template.
curl -i -X "POST" https://api.wavecell.com/verify/v1/amazing_hq -H "Authorization: Bearer OiLc1xKaghw3sD*********WtLQn4WjvOww" -H "Content-Type: application/json" -d $'{ "destination": "98765432", "country": "SG", "productName": "Amazing Product" }'
Here’s what you need to customize in the above template for your specific implementation:
- “Amazing_hq” - swap that out with your subaccount ID
- “OiLc1xKaghw3sD*********WtLQn4WjvOww” - replace this with your API key
- “98765432” - put in the phone number you want to send the 2FA message to
- "SG" - enter the country code of the phone number you’re sending to
- “Amazing Product” - replace this with the company name or product name you want showing up in the 2FA text message
Edit the curl code template for sending the OTP code
To generate and send the one time passcode (OTP) in your 2FA flow, use this curl code as a template.
curl -i -X "POST" https://api.wavecell.com/verify/v1/amazing_hq -H "Authorization: Bearer OiLc1xKaghw3sD*********WtLQn4WjvOww" -H "Content-Type: application/json" -d $'{ "destination": "98765432", "country": "SG", "productName": "Amazing Product" }'
Here’s what you need to customize in the above template for your specific implementation:
- “Amazing_hq” - swap that out with your subaccount ID
- “OiLc1xKaghw3sD*********WtLQn4WjvOww” - replace this with your API key
- “98765432” - put in the phone number you want to send the 2FA message to
- "SG" - enter the country code of the phone number you’re sending to
- “Amazing Product” - replace this with the company name or product name you want showing up in the 2FA text message
Edit the curl code template for verifying the user inputs the correct code
To verify the user inputs the correct code into your login process, use this curl code template.
curl -X GET 'https://api.wavecell.com/verify/v1/amazing_hq/c96a488d-5704-459e-9dee-3dd8138b3a52?code=7085' -H "Authorization: Bearer OiLc1xKaghw3sD*********WtLQn4WjvOww"
Customize the above code in these ways to make it work for your account:
- “Amazing_hq” - swap that out with your subaccount ID
- “C96a488d-5704-459e-9dee-3dd8138b3a52” - swap the uid, the unique identifier returned by the API call from the previous step
- “7085” - replace this with the code value returned by the API call from the previous step
- “OiLc1xKaghw3sD*********WtLQn4WjvOww” - replace this with your API key
Edit the curl code template for verifying the user inputs the correct code
To verify the user inputs the correct code into your login process, use this curl code template.
curl -X GET 'https://api.wavecell.com/verify/v1/amazing_hq/c96a488d-5704-459e-9dee-3dd8138b3a52?code=7085' -H "Authorization: Bearer OiLc1xKaghw3sD*********WtLQn4WjvOww"
Customize the above code in these ways to make it work for your account:
- “Amazing_hq” - swap that out with your subaccount ID
- “C96a488d-5704-459e-9dee-3dd8138b3a52” - swap the uid, the unique identifier returned by the API call from the previous step
- “7085” - replace this with the code value returned by the API call from the previous step
- “OiLc1xKaghw3sD*********WtLQn4WjvOww” - replace this with your API key
Check if the status returned is Verified
When you run the code from the last step, the JSON response will look like this:
{ "uid": "c96a488d-5704-459e-9dee-3dd8138b3a52", "resourceUri" "/verify/v1/amazing_hq/aa0fb28141bd4bedae848f9615b0221e", "msisdn": 6598765432, "status": "VERIFIED", "attempt": 0, "expiresAt": "2017-08-29T21:43:26.641256+00:00" "nextSmsAfter": "2017-08-29T21:38:36.641256+00:00" }
If status is listed as VERIFIED, then the user has successfully received and inputted the correct OTP code. Now it’s safe to allow them to authenticate into your product and you’re all done! You’ve successfully enabled 2FA in your product.
Check if the status returned is Verified
When you run the code from the last step, the JSON response will look like this:
{ "uid": "c96a488d-5704-459e-9dee-3dd8138b3a52", "resourceUri" "/verify/v1/amazing_hq/aa0fb28141bd4bedae848f9615b0221e", "msisdn": 6598765432, "status": "VERIFIED", "attempt": 0, "expiresAt": "2017-08-29T21:43:26.641256+00:00" "nextSmsAfter": "2017-08-29T21:38:36.641256+00:00" }
If status is listed as VERIFIED, then the user has successfully received and inputted the correct OTP code. Now it’s safe to allow them to authenticate into your product and you’re all done! You’ve successfully enabled 2FA in your product.