iostwiliotwo-factor-authenticationauthy

Twilio / Authy API for 2 Factor Authentication in iOS?


I have been digging into the documentation of Twilio and Authy to accomplish the task of adding 2FA in an iOS app.

Yet despite the alleged simplicity of these platforms, I have been unable to find any sample project or documentation that illustrates how to implement 2FA into an iOS app, all of the examples are for web apps, wordpress sites, etc!

The closest I have found (which still requires creating a SQL database etc) is this one: https://www.twilio.com/blog/2015/01/mobile-passwordless-sms-authentication-part-1-building-the-api-with-laravel-and-twilio.html

My question is this, what is the simplest way to add 2FA to an app? If it is Twilio / Authy Can anyone point me in the direction of a sample project or some documentation that best illustrates this task?

Thanks in advance!


Solution

  • If you want to enable 2fa with Authy for a user from your iOS app, you simply need to send a request with the user's email and phone number from the mobile app to your web app. From there, it's easy to enable the user in Authy (using authy-ruby in this example):

    user = Authy::API.register_user(:email => 'foo@example.com', :cellphone => "123-456-7890", :country_code => "1")
    # Then you should store the user.id, associating it to the user record.
    

    At this point, the user is registered in Authy. If he uses the Authy mobile app, he'll be able to see the new account in the list. Otherwise you can request an sms (from your web app) to the user whenever you request a token for 2fa:

    response = Authy::API.request_sms(:id => user.authy_id)
    

    Then you should collect the token from your mobile app, send it to your server and from there verify the token with Authy:

    response = Authy::API.verify(:id => user.authy_id, :token => 'token-user-entered')
    

    For security reasons this is the right way to do it, as you need to keep your Authy api_key secure, and if you include it in a mobile app, it can be easily decompiled to extract it and someone could abuse of your account.