One time password authentication using Nodejs, passwordless and Twilio

One time password is a high demand authentication functionality in today's time while login into the system, making some transaction or taking some high risk action in the system. It provides an additional security in our application. Passwords can be hacked or guessed that depends on the password security policy of your website. However, the one time password give you a password in your email or your mobile number which can be used one time only and is valid for few minutes. Messages sent to your mobile numbers are secured in a way that you can only see them in your mobile.

Implementing one time password is really simple in Nodejs by using Passwordless and Twilio node packages. Please follow the below steps which will setup your webpage where you can enter your mobile number and then you will receive a 6 digit OTP in your own mobile number. Then you can verify the same and if verified then redirected to the login page.

Create an account in Twilio

Goto and create an account by signing up. After this you will be logged in to twilio.

How Twilio works

There is an official description of how Twilio works:

Visit the Twilio's getting started page

Once you login, go to this url

In the above page there is a step-by-step demo to create a phone number and send a test sms.
- Note down this phone number.

Note the API credentials

On the same page, click on "Show API credentials" on the right side of the page and note down the these two parameters - Account SID and AUTH Token

Install mongodb in your system (if not already installed).

If you have setup the mongodb without authentication, then your connection string will simply be -
Replace <port> with your mongodb port (typically 27017).

If you have setup mongodb with authentication, then your connection string will be -

Replace <port> with mongodb port.
Replace <dbUserId> with mongodb database user id.
Replace <dbPassword> with mongodb database password.

Clone the passwordless example demo Github repo

Clone the following github repo into your system

Edit the source code

Open the app.js in your favourite editor and edit the below lines:

Find this lines
accountSid = 'TWILIO_SID' 
and replace the TWILIO_SID with your Account SID which you have noted down before.

Now, find this line
and replace the TWILIO_AUTH_TOKEN with the AUTH Token you noted down before.

Now, find this line 
and replace the TWILIO_NUMBER with the phone number you noted down before.

Now, find this line
db = 'mongodb://localhost/passwordless-sms';
and replace this mongodb connection string with the connection string you made earlier.

Generating 6 digit OTP

Open nodejs console and go the github repository directory in your system. Execute the below command in console

npm install random-js --save

Open the app.js again find the below function

tokenAlgorithm: function() {
 // custom token generator
 // short random token generator, enough to fit into single SMS
 return '12345'

and replace this function with below line of code:

tokenAlgorithm: function() {
 var random = new Random(Random.engines.mt19937().autoSeed());
 var value = random.integer(100000, 999999);
 return value.toString();

Running our app to test

In node console execute the command
node app.js

Open the browser and enter this URL

Type your mobile number with country code. You will receive a 6 digit OTP in your mobile number. Then in next page enter that 6 digit OTP and you will be logged in.

Note : You should also code out the token timeout functionality. When passwordless saves a token in mongodb, its timestamp is also saved. So, while OTP verification, you should get that timestamp and check if it is within range of our timeout setting and throw exception otherwise.