How to create a secure OTP service with twilio verify and python

A simple approach to building a one time password(OTP) service for your application.

What are OTPs about?

Cybersecurity is critical, as has been stated numerous times, and passwords play a significant role in this.

A one-time password (OTP), sometimes known as a dynamic password, is a string of randomly generated letters or numbers that is used only once during a login or transaction to authenticate a user. The account user receives the OTP via SMS, email, or voice message. A generated OTP is only valid for a certain amount of time.

And because one-time passwords are only valid for a single use, they are not as vulnerable as static passwords because they cannot be repeated by anyone, including unauthorized individuals, and so eliminate the risk of pin code theft.

The problem with static passwords

Static passwords, together with the email or phone number for which they were used, are recorded in a database. Now, if an attacker compromises the password service’s database, the security of applications of this type may be jeopardized, as the attacker may easily add a password entry against any email or phone number in the database. Furthermore, they have easy access to a large number of consumers’ email addresses and phone numbers, putting them at risk of assault.

But OTP systems address the limitations of static passwords by incorporating an additional security credential, such as a temporary one-time password (OTP), to protect network access and end-users digital identities. This adds an extra level of protection and makes it more challenging to access unauthorized information, networks, or online accounts.

What to expect from this article

In this tutorial you will learn how to create Twilio verify service to send and verify OTP codes using SMS. Even if you are not a programmer or you do not use python, stick around this approach is very beginner friendly.

Requirements to get started

To get started with this tutorial you will need:

• Python 3 — If you do not have this installed already you can go to python.org to download an installer.
• An activated Twilio account with free 10$ added to your account.

Twilio Verify configuration

Once you have created and activated your Twilio account you will be redirected to your dashboard. You will then navigate to the Verify > Try it out section of your console and click it to create a new verify service. The name you input will be sent as a message template sent via SMS but it can be changed, click on Create Service ignore steps 2 and 3.

Navigate to the Verify > Services section to view your newly created service click on it and you can now make changes like length of code to be sent and delivery channels, but for this tutorial we would use the default length 6 and make sure the SMS channel is enabled.

Create a python environment

Now we are ready to start coding we would start by creating a new directory where all the files needed by the application to run would be saved, then we create python virtual environment by running the scripts below using Command Prompt or PowerShell.

For Mac and Linux users

mkdir OTP-APP
cd OTP-APP
python3 -m venv venv
source venv/bin/activate

For Windows users

md OTP-APP
cd OTP-APP
python -m venv venv
venv\Scripts\activate

Once this is done the prompt should indicate we are now in a virtual environment (venv) we can then go ahead to install our only dependency.

(venv) $ pip install twilio

Build an OTP application

To get started we would create a client. A client is what enables us connect directly to our already created twilio verify service by providing your account sid and auth token which can both be found in your account console. To do this we would start by creating environment variables for our secret keys so they are not exposed to whoever has access to your source code. One of the easiest ways to do this is to create a .env file within our directory, within this file we will create two variables.

TWILIO_ACCOUNT_SID="your-twilio-account-sid"
TWILIO_AUTH_TOKEN="your-twilio-auth-token"

Once this is done we would create a python file verify.pyfor our application and create a client within the file. You can name your file whatever you choose to.

Once a client has been created we get the phone number as a string and initialize a verification process through SMS. We also need to provide the service ID of which we want to access.

This will enable twilio connect to your account, generate a 6-digit code as we specified in our service and send an SMS to the provided phone number. It is also important to note that you can specify your own code by using the custom_code parameter, see more. A verification.status method will return one ofpending, approved, or canceled. At this point you should grab the phone and check for your own code.

As you can see from the screenshot above the verification message included my verify service name OdenVerify and this can be changed in your console.

To verify this code let’s create another python file lets name this one verify_check.py

We would initialize a client like we did before specifying our twilio account sid and auth token. Then we create a verification check by providing the service id, phone number with which we received the code and the code itself, a verification check will be carried out and averification.status method will return one ofpending, approved, or canceled.If everything was done correctly an approved string will be returned. You can also check your verify service logs in your console to see the status of your requests.

Putting it all together

So far we have been able to create our twilio verify service, and used our account credentials to send and verify OTP codes using SMS, but it really isn’t convenient to run make changes to our source code each time we want to run our application.

Although the scope of this article doesn’t include steps on how to build the GUI application i will provide the link to the github repository where you can find the full source codes to test run. The framework used to build the application is pythons built-in tkinter library you can get started here. The application looks like this

The first step requires you to select the country for which your phone number is registered, this generates a dial code, then you proceed to provide your phone number and request an OTP.

The application then collects this number and initializes a verification process by sending a code to the number.

The code is entered as seen above. At this point a verification check is carried out and an approved is returned.

Conclusion

The Twilio verify service is an incredibly easy and adaptable means of verifying the authenticity of your customers given their phone numbers. As we can see it integrates nicely with python.

Additional Resources

• Getting started with Twilio verify check here
• How to set environment variable
• Building simple cross-platform GUI applications with tkinter