Getting started with Twilio account security using Node.js and MongoDB

A guide to adding two-factor authentication (2FA) to your applications.

2 token authentication locks
Thinkstock

One of the first considerations for developers building mobile and web apps is how to handle account security, namely how they’re going to protect and authenticate their users and their data. The days where a username and password was sufficient to protect accounts are long behind us, and we’re reminded of this nearly every day in the form of large-scale breaches, high-profile account takeovers, or massive digital heists.

Adding stronger account security such as two-factor authentication (2FA) to your app is one of the simplest ways to increase security, protect users from cyberattacks, and build trust in your product, all while maintaining a smooth user experience.

This quick-start guides you through building a Node.js, AngularJS, and MongoDB application that restricts access to a URL. I’ll be demonstrating four methods of delivering 2FA: SMS, Voice, Soft Tokens and Push Notifications.

As with my previous tutorials, the first step is to create a free Twilio account if you haven’t already. If you have an existing Twilio account, simply sign in.

Create a new account security application

Once you are logged in, click through to the Account Security Console. Click the red plus (+) button to create a new Account Security application, and name it something memorable. You’ll automatically be transported to the Settings page next. Click the eyeball icon to reveal your Production API Key.

api key account security Twilio
Twilio

Copy your Production API Key to a safe place; you will use it during application setup.

Install and launch MongoDB

When a user registers with your application, a request is made to Twilio to add that user to your App, and a user_idis returned. In this demo, we’ll store the returned user_id in a MongoDB database.

Instructions for installing MongoDB vary by platform. Follow the instructions you need to install locally.

After installing, launch MongoDB. For Unix, Linux, and MacOS, this may be as easy as mongod.

Setup Authy on your device

This two-Factor authentication two channels which require an installed Authy Client to test: Soft Tokens and Push Notifications. While SMS and Voice channels will work without the client, to try out all four authentication channels download and install Authy Client for Desktop or Mobile:

Clone and setup the application

Clone our Node.js repository locally, then enter the directory. Install all of the necessary node modules:

npm install

Next, open the file .env.example. There, edit the ACCOUNT_SECURITY_API_KEY, pasting in the API Key from the above step (in the console), and save the file as .env.

Add your application API key

Enter the API Key from the Account Security console and optionally change the port.

export ACCOUNT_SECURITY_API_KEY=’ENTER_SECRET_HERE’
export PORT=1337

Once you have added your API Key, you are ready to run! Launch Node with:

node.

If MongoDB is running and your API Key is correct, you should get a message your new app is running!

Try the Node.js two-factor demo

With your phone (optionally with the Authy client installed) nearby, open a new browser tab and navigate to http://localhost:1337/register/.

Enter your information and create a password, then press Register. Your information is passed to Twilio (you will be able to see your user immediately in the console), and the application is returned as user_id.

Now visit http://localhost:1337/login/ and log in. You’ll be presented with the following screen:

two factor auth channels Twilio

If your phone has the Authy Client installed, you can immediately enter a soft token from the client to Verify. Additionally, you can try a push notification simply by pushing the labeled button.

If you do not have Authy installed, the SMS and Voice channels will also work in providing a token. To try different channels, you can log out to start the process again.

Try out more channels for 2FA

Twilio’s 2FA supports time-based one time password (TOTP) delivery over four channels: SMS and Voice for all devices, as well as Soft Token and Push Notifications for users of the Authy Client or our Authentication SDK.

I’d like to highlight the Controller so you can see just how to use some of the authentication channels. In Users.js, I demonstrate how to send a push notification to a user with the Authy client installed (push notifications are also available if you integrate our mobile SDK).

Using Push Notifications is one of the most reliable ways to authenticate users and their requests. Because you can simply send an approve/deny request via Push, you can even add extra security to high-risk transactions such as depositing or withdrawing large sums, password requests, and the addition of other users to the same account.

code table 1 Twilio
code table 2 Twilio

I also highlight the ability to send TOTPs through other channels. By default, when requesting a Password via the Voice or SMS channel, Twilio will automatically upgrade your request to a Push Notification if possible. Here’s how to request a TOTP over Voice:

code table 3 Twilio

Note again, by default, all the requests for authentication you send are forward compatible with push notifications. This means that unless you override the logic to force voice or SMS delivery (through the API or the Account Security console), users with the Authy Client will receive a Push Notification request on their device instead of the original channel.

And with that, 2FA is turned on and your Node.js app is protected!

What’s next?

Now that you’re familiar with how to implement 2FA in this sample application, you can find all of the detailed descriptions for options and API calls in Twilio’s Two-Factor Authentication API Reference. If you’re building a registration flow, also check out the Phone Verification and Phone Lookup API.

For additional guides and tutorials on account security and other products, take a look at the Docs, or check out Twilio’s past posts in our Enterprise Developer Education column:

This article is published as part of the IDG Contributor Network. Want to Join?