Security is one of the biggest concerns when creating new applications, and there are many tools out there to make authentication and authorization secure and easy to implement. Here are a few services I have used in the past to help with secure login.
There are more advanced systems you can put into place to make login even more secure. Multi-Factor and Two-factor authentication are two of these techniques where extra pieces of evidence (factors) are presented by the user to verify they are authorized to use a mobile application or website. These extra factors could be:
- knowledge (something only the user knows) i.e. security questions
- possession (a device only the user would have) i.e. one time sms verification code
- inherent (something about the user) i.e fingerprint scan, face recognition
- location based (about the users location) i.e. access to some filesystems from certain networks or terminals
The Ups:
An extra layer of security helps prevent against users from an unknown person trying to access their data. Short expiration times for sms codes, or tokens and codes only generated on a user request means hackers or scammers are going to have a tougher time access a user’s data.
The Downs:
Any device can be lost or stolen and would be able to potentially access a user’s account. Phone batteries die, or not have network coverage in many areas. Generally account recovery procedures do not require two-factor authentication and may be vulnerable as well.
Let’s Add SMS-Verification to a our Node.js projects
Twilio has a great API we can connect to our Node.js application to add phone verification quickly and easily.
The process is broken down into four steps
- Sign up for Twilio ( they have a free tier if you are working on a personal project )
- Add dependencies and Twilio account information to your project
- Send our first SMS phone verification
- Use verification codes to sign in
Signing Up
Signing up for a Twilio account is easy and can be done for free (to start) here. They verify your email and phone number(which will be used for development and testing) and get you started with a trial balance after asking you some questions about you as a developer.
Add Dependencies
You’ll need to add the Twilio package to the project using npm i twilio
We will store our Twilio accoung information in a .env file so users and other developers can’t see our account information. From the Twilio console you are going to need to put you TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN and VERIFICATION_SID into your .env file
Making a call to the Twilio service
** This isn’t going to work with all applications, but these three snippets should help you in getting set up**
First we need to require Twilio in the file we are going to make the verification request from:
//if you named your env variables differently then I did above make
//sure they match const twilio = require('twilio')(TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN);
Next when we get a route we are going to execute an async method to create the verification in Twilio.
We check if our user’s role has access to the content we’re protecting and if we don’t we create a channel variable to house their preferred method of verification (phone call or sms).
We then make a call to the twilio verify services and pass our VERIFICATION_SID and create a verification to send to the phoneNumber our user provided via the channel they preferred.
The user received a verification and we send them to a page to accept the verification code as input.
When we the function to handle the verification results we handle it in a similar way.
We get the code in the request use the twilio.verify.services function to create a verificationResult.
This verificationResult will have a status attribute with a value of either ‘approved’ or ‘pending’
Approved means the user delivered the correct code and should be allowed to see the protected content. Pending on the other hand means they either input the wrong code or are not the user and should be denied access.
The Gist
Twilio was easy to get up and running in the capacity I needed it for and does have a quickstart codebase for several languages to see how it is working and have something you can test in a matter of minutes.
The triale tier allows you to have verified numbers that you can send unlimited messages to for testing purposes, and includes a trial account heading at the top of the message. If you want to take it into a production application you are going to have to upgrade your account.
The docs are well-written and concise and provide many examples and snippets to help you along. There are also several other apis to take advantage of for continuous two-factor authentication, lead alerts for sales people in the field, and a few others.
Happy Hacking!
Resources:
Connect with Me:
