Note, if you use Auth0 MFA, please take a look at this blog post on how to use Twilio Verify with Auth0 MFA
Auth0 supports passwordless loign via either SMS or Email. By default, Auth0 uses Twilio programmable messaging API to send OTP via SMS. However, Auth0 also allows you to setup custom SMS gateway for passwordless login. This project will show you how to setup Auth0 to use Twilio Verify for passwordless login.
Twilio Verify is a dedicated, fully managed, turn-key omnichannle verification solution.
it has the following features
RATELIMIT_KEY
to the name you choosedPleae follow this link to create a new Verify service. Note down the Verify service SID, a long string start with VA (VAxxxxxxxxx......) Please contact Twilio Sales to enable custom code feature for above Verify service.
Twilio Functions is a serverless environment that empowers developers to quickly and easily create production-grade, event-driven Twilio applications that scale with their businesses.
Variable | Value |
---|---|
VERIFY_SID |
VAxxxxxxxxx (the Verify service that you created at previous steps) |
RATELIMIT_KEY |
ip_and_phone |
In order to benefit from Twilio Verify Fraud Guard, you must call Twilio Verify Feedback API to update OTP status
Please note, when calling Verify feedback API, you can either use Verification SID or the user's phone number to update the status:
use phone number in e164 format:
curl -X POST "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications/+4478xxx"
--data-urlencode "Status=approved"
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
or use Verification Sid:
curl -X POST "https://verify.twilio.com/v2/Services/VAXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/Verifications/VEXXX..."
--data-urlencode "Status=approved"
-u $TWILIO_ACCOUNT_SID:$TWILIO_AUTH_TOKEN
Please follow this instruction to create custom log streams using webhook. Please note, you will need to create another Twilio function (acting as webhook receiver) and use it to receive the webhook call from Auth0 log stream. The Payload URL of custom log stream will be the the Twilio Function URL.
The Twilio Function will receive the webhook call from Auth0 log stream and parse the payload (for example, the successful login event and the phone number used for login), then call Verify Feedback API. For example, if you use Auth0 passwordless login and then issue an access token, you can capture the event "Success Exchange Token Exchange" which indicates a successful login with the OTP and then call Twilio Verify feedback API (you only need to call Verify feedback API for successful login event). If you are not sure, you can always check what log events are triggered for a successful login with the OTP and then use them as the triggers to call Verify feedback API.
Please follow this instruction to enable Verify Fraud Gurad. It is extremely important that you use Verify feedback API and enable Fraud Gurad feature when using Auth0 passwordless login. We had seen many SMS pumping victims, so you have been warned.