One time password authentication using Nodejs, passwordless and Twilio

One time password is a high demand authentication functionality in today's time while login into the system, making some transaction or taking some high risk action in the system. It provides an additional security in our application. Passwords can be hacked or guessed that depends on the password security policy of your website. However, the one time password give you a password in your email or your mobile number which can be used one time only and is valid for few minutes. Messages sent to your mobile numbers are secured in a way that you can only see them in your mobile.

Implementing one time password is really simple in Nodejs by using Passwordless and Twilio node packages. Please follow the below steps which will setup your webpage where you can enter your mobile number and then you will receive a 6 digit OTP in your own mobile number. Then you can verify the same and if verified then redirected to the login page.

Create an account in Twilio

Goto twilio.com and create an account by signing up. After this you will be logged in to twilio.

How Twilio works

There is an official description of how Twilio works:

Visit the Twilio's getting started page

Once you login, go to this url
https://www.twilio.com/console/sms/getting-started/basics

In the above page there is a step-by-step demo to create a phone number and send a test sms.
- Note down this phone number.

Note the API credentials

On the same page, click on "Show API credentials" on the right side of the page and note down the these two parameters - Account SID and AUTH Token

Install mongodb in your system (if not already installed).

If you have setup the mongodb without authentication, then your connection string will simply be -
'mongodb://localhost:<port>/passwordless-sms'
Replace <port> with your mongodb port (typically 27017).

If you have setup mongodb with authentication, then your connection string will be -
'mongodb://<dbUserId>:<dbPassword>@localhost:<port>/passwordless-sms'

Replace <port> with mongodb port.
Replace <dbUserId> with mongodb database user id.
Replace <dbPassword> with mongodb database password.

Clone the passwordless example demo Github repo

Clone the following github repo into your system
https://github.com/rbudiharso/smsauth-example

Edit the source code

Open the app.js in your favourite editor and edit the below lines:

Find this lines

accountSid = 'TWILIO_SID' 

and replace the TWILIO_SID with your Account SID which you have noted down before.

Now, find this line

authToken = 'TWILIO_AUTH_TOKEN'

and replace the TWILIO_AUTH_TOKEN with the AUTH Token you noted down before.

Now, find this line 

from: "TWILIO_NUMBER"

and replace the TWILIO_NUMBER with the phone number you noted down before.

Now, find this line

db = 'mongodb://localhost/passwordless-sms';

and replace this mongodb connection string with the connection string you made earlier.

Generating 6 digit OTP

Open nodejs console and go the github repository directory in your system. Execute the below command in console

npm install random-js --save

Open the app.js again find the below function

tokenAlgorithm: function() {
 // custom token generator
 // short random token generator, enough to fit into single SMS
 return '12345'
}

and replace this function with below line of code:

tokenAlgorithm: function() {
 var random = new Random(Random.engines.mt19937().autoSeed());
 console.log(random);
 var value = random.integer(100000, 999999);
 console.log(value);
 return value.toString();
}

Running our app to test

In node console execute the command

node app.js

Open the browser and enter this URL

http://localhost:9000

Type your mobile number with country code. You will receive a 6 digit OTP in your mobile number. Then in next page enter that 6 digit OTP and you will be logged in.

Note : You should also code out the token timeout functionality. When passwordless saves a token in mongodb, its timestamp is also saved. So, while OTP verification, you should get that timestamp and check if it is within range of our timeout setting and throw exception otherwise.

Programming Superstars

This blog is dedicated to our "Programming Heroes" who have lead the evolution of Information Technology, programming languages and libraries in such a way that these have become the real I.T. game changers.

While these technological evolution and revolutions are endless process, we must thank to those who always took initiatives to take the current development technologies to a next level.

Here is a list of some:

1. Anders Hejlsberg

Image Source : Wikipedia.com

Creator and Lead architect of C# language and core developer on TypeScript.

Wiki: https://en.wikipedia.org/wiki/Anders_Hejlsberg

Top Video

2. James Arthur Gosling

Image Source : Wikipedia.com

Creator of Java programming language and best known as the father of the Java programming language.

Wiki: https://en.wikipedia.org/wiki/James_Gosling

Top Video

3. John Resig

Image Source : Wikipedia.com

Creator and Lead developer of JQuery.

Wiki: https://en.wikipedia.org/wiki/John_Resig

Top Video

4. Ryan Dahl

Image Source : Google.com

Creator of NodeJs - An open-source, cross-platform JavaScript runtime environment for developing a diverse variety of tools and applications.

Wiki: https://en.wikipedia.org/wiki/Node.js

Top Video

5. Terence Parr

Image Source : Google.com

Creator of ANTLR (ANother Tool for Language Recognition).

GitHub: https://github.com/parrt

Top Video

6. Jared Hanson

Image Source : Twitter.com

Creator of PassportJS - Passport is authentication middleware for Node.js.

GitHub: https://github.com/jaredhanson

Top Video

7. Guido van Rossum

Image Source : Wikipedia.com

Van Rossum is Python's principal author, and his continuing central role in deciding the direction of Python is reflected in the title given to him by the Python community, benevolent dictator for life (BDFL).

Wiki: https://en.wikipedia.org/wiki/Guido_van_Rossum

Top Video

We will be adding more stars to the sky...:)