Authy phone verification: does API prevent too many guesses? - twilio

We're building integration with Twilio's Authy phone verification API at the moment.
The docs don't specifically say what happens in the case that malicious user sends lots of guesses to the verification/check endpoint while trying to verify the sms code.
I assume Authy must have something in place to prevent this, but it's not explicitly stated and I'm wondering if we need to build in some protection (e.g. guess-counter limit) in our own API integration code.

Twilio developer evangelist here.
There is a limit built into Authy for phone verification. There is a maximum of 5 attempts per verification code, to avoid brute forcing the code.
I'm trying to find out why this isn't documented, but in the meantime you should not have to build out protections yourself.

Related

Multiple Ways Verifying Phone with Twilio's Authy

I'm confused on how exactly to verify a phone with Authy.
I have a C#/MVC view that accepts a country code and phone number and I call AuthyClient.RegisterUser and that works fine. I store the AuthyId that comes back.
I then call AuthyClient.SendSms with force=true. <--- does this send them a verification code?
My test user didn't even enter a code on my site and in Twilio, he's showing as verified. Is that because he opened up the Authy app after getting registered?
Are there multiple ways to verify a phone then?
Twilio developer evangelist here.
The API requests you are making here, starting with the call to AuthyClient.RegisterUser is actually the way that you perform two factor authentication with the Authy APIs.
To verify a phone with Authy you only need to make two API calls. The first sends a verification code and the second requires the user to input the code they received and then verifies it.
I can see you're using the authy.net library, which is sadly archived on GitHub now because it wasn't kept up to date. I'm not a .NET developer, but from what I can see in the codebase it didn't support the Verify endpoints. For this reason, I'd recommend you construct the HTTP requests yourself.
Take a read through the Verify documentation, it has all the URLs you need to make requests to including the required parameters. Let me know how you get on with that.

Twilio calls integration to ios app without server app

This must be a silly question, but is there any way to make calls btw two iOS apps without server app mentioned in Twilio tutorials. Tell me please what server app does and is there any way to perform such tasks on front end instead?
Twilio developer evangelist here.
The server is required to generate an access token for your users to get access to the Twilio service.
You also need to host some TwiML to tell Twilio what to do with calls when you make them.
If you are not interested in running a server, however, you are in luck. Just recently, Twilio launched Functions, a serverless environment for you to deploy code to. With a Twilio Function, you can use Node.js to generate your access tokens for your users and you won't have to host the code yourself, it will all be on the Twilio platform.
Check out Twilio Functions in your console and take a look at the Node.js quickstart application for the iOS Twilio Programmable Voice SDK which should give you an idea of how to use Node for your application within Functions. I'm sure there'll be tutorials and blog posts coming out. Also, check out this video on how to create access tokens for your apps with Twilio Functions.
Let me know if that helps at all.

Is +15005550006 the only phone number you can buy using test credentials?

For testing Twilio applications, Twilio provides test credentials. You are allowed to buy phone numbers through the API without being charged to your actual account. My application requires that I be able to buy multiple phone numbers. I would like to do this with test credentials.
However, per this documentation page, it seems like the only phone number you can buy is +15005550006. I tried buying other phone numbers, but I keep getting an exception that states that the phone number I'm trying to buy "...is not available."
Is it really the case that only that one number can be bought?
Twilio developer evangelist here.
Test credentials are for making sure your HTTP calls are being made correctly, they just mock the results of the API so you can make practice calls to it. The idea with test credentials is that if the API call to the fake number works, then your code will work in production.
The test credentials also cause Twilio to return special results for certain resources. For example, you can try to buy the number +15005550001 and it will tell you that the number is invalid. You can see the special examples here: https://www.twilio.com/docs/api/rest/test-credentials#test-incoming-phone-numbers-parameters-PhoneNumber
If you need to actually buy numbers with your account to build your application with, you'll need to use your live credentials. If your app is successful purchasing +15005550006 then you can be sure that switching out to real credentials will work.

how to verify short verification code received from twilio

In my app user needs to verify his phone number to complete the registration process means when the user tries to register with phone number, a verification code will be send to his device. on inserting the code, the app should allow him to register , regarding this I am using twilio as SMS gateway. Does anybody has a sample code, so that I can through the code to check how this process is going to intiate.
Twilio developer evangelist here. There are a variety of blog posts that show you how to accomplish this around the Internet. For example:
A phone verification system with PHP and MySQL
Phone verification with Ruby and Rails
Phone verification using JavaScript and Parse
Or, if you want something even easier, Authy is a service that handles all the verification you need through just a few API calls.
Hope this helps.

Using Twilio to send pre-filled message from iOS handset instead of asking user to enter code?

I've seen several applications that use Twilio for SMS verification go from:
Sending the user a 4-5 digit code to enter on their handset
to
Pre-filling a 32+ character SMS message that the user sends from their device to the services Twilio number.
Is there any documentation out there on how to implement an approach like this?
Twilio evangelist here.
It sounds like your asking two different questions, one regarding two factor authentication and one regarding autocreating an SMS message on the device for the user to sent to Twilio.
If I've got that correct, then I'd start be working through the Two-Factor Authentication How To article that walks through setting up SMS-bsased two factor authentication.
Another resource to check out is the Add Two-Factor Authentication to your Website with Google Authenticator and Twilio SMS blog post.
As far as generating a text message on a device, I think that is going to greatly depend on what kind of mobile device you are targeting.
Hope that helps.

Resources