14
Passwordless SMS Authentication 101 | Python Edition
Imagine yourself logging into an application without being required to create and remember a password. Well, not much to imagine, right? We all did it at least once before. There are plenty of approaches on how to implement this. One of those approaches is also by using passwordless SMS authentication.
Passwordless SMS Authentication enables application developers to offer authentication without having to remember login credentials. It allows users to enter their mobile device phone number to get a one-time code which can help them to log in.
With this user authentication technique, when, for example, a mobile user authenticates in an app for the first time, they are asked for their phone number. A one-time code is then sent from the developer's server-side app to that phone number as an SMS text message. The user then enters the code into the app and they are authenticated.
Let's say it's the first time for a user to use the app. An account will be created for that user. If not, the user will be authenticated to use the unique ID assigned by the identity provider. The authentication code sent to the user's phone number is not reusable, but it can only be used once, after which it expires. When the user visits the app again, a new code will be sent to their mobile phone number, which they can use to log in.
Thus, it will either:
- save your users from the need to remember account passwords, or
- add another level of security in case you want to use it as an add-on in the 2FA, 3FA, or MFA setup. There are suitable use-cases for either approach.
So, when and why should you use (or avoid) this mode of authentication?
I guess the answer to this question varies depending on what are you trying to achieve. There are more elegant ways and which significantly reduce the risk of fraudulent activities such as account takeover, and there are enough articles out there talking about how and why should you go with either alternative approach.
To keep it completely real, if you are seeking ultimate security, you might consider using SMS simply as one of the layers of your multi-factor authentication process. Or you might just say: nope, I want something else.
If you're simply trying to do a simple integration that enables you to verify your user's phone number or really anything that is not that safety-critical, then sure, jump on board - it's easy to do it.
Ok, by now you should kind of be aware of what it is, and what might be the benefits or potential pitfalls. I guess it is safe to proceed with a bit of hands-on and see how this actually works in practice.
In this section, we will be discussing one approach on how to implement this authentication technique.
Infobip platform offers you a solution that you can use to send authentication messages. It provides official API libraries for different (at the moment of writing: Java, C#, PHP, Python & Go) programming languages.
You can find the list of various SDKs provided by this platform here. All our API-related SDKs are open-source and made available on GitHub. To learn more about the platform, visit its official documentation here. In this section, we will be demonstrating how to use the Infobip Python API library to send one-time passwords via SMS.
First, you should install the infobip-api-python-client
. You can install it using Python's pip package manager. Pip is shipped with Python, thus, you don't have to install it if you have already installed Python.
Open the terminal of your operating system and run the following command:
pip install infobip-api-python-client
The command will install infobip-api-python-client
on your computer. You should get a success message similar to the one shown in the following image.
Have you created an Infobip account? If not, please do so here, you'll need one in order to follow this to the letter. The next step should involve configuration and authentication. To properly set the configuration, you need a specific URL and an API key (both is provided to you when the account is created). You can find both on the homepage of your account.
To be able to use both of the above, simply click the copy-to-clipboard buttons and paste them into their proper locations in the config setup.
In order to initialize the Infobip 2FA API client and properly set the configuration for it, you should do the following.
Ensure that you substitute the right values of the various parameters in the above code. These include the API Base URL, the API Key, and the API Key prefix. For you to send the SMS successfully, these credentials MUST be correct.
While API Base URL and API Key you can simply copy from your account homepage, you have to set API Prefix manually. The reason behind this is that there are multiple authentication options, and you might choose not to use API Key but one of its alternatives. In case you chose to simply copy the key value available on your account, then you need to set the API Key Prefix value to App
. That's it, you are ready to make API calls to the Infobip platform.
Before being able to send one-time passwords you need to set up the application and message template.
The application represents the service you are using it for. It is recommended to have different applications configured for different use cases or services. That is done by invoking the Create 2FA Application endpoint. Python lib you previously installed does it like shown below.
The last line reads the id of the created application so you can re-use it. Spoiler alert, you need it for the next step.
When the application is configured, you need to prepare the template for the message(s) you want to send. Let's see an example of how can you design the message body and the password (PIN) placeholder.
Similar to what you did in the previous chapter, now you read the id of the created message template. In order to actually send a password via SMS, we'll need both of the IDs - application and message template.
Now that you have set up the application and designed the message template, let's send the code to the user via SMS. In order to do it, you can simply use the following:
Note that after sending the password you checked whether the message was sent successfully, and also saved another id. This one is going to be used in order to verify the user to whom you sent the SMS message.
So, you configured everything and sent the password. But how do you know whether the proper password was used by the user?
Well, obviously you somehow have to offer the user a way to put the password you just sent to him. After he does it, you simply need to call the following and check whether the response says the user is verified.
And if verified
is true
, that's it -your user successfully authenticated himself.
Passwordless SMS Authentication can be used in various cases. Where needed, it can help developers to authenticate users without requiring them to remember a password. In other cases, it can be used to provide an additional layer of security on top of the basic username-password authentication.
It's really up to the application owner(s) to determine whether they need extra simplicity or extra security. This article is not going to go there, its sole purpose is to show you how easy it is to set it up.
Today we covered how it can be done via SMS, but Infobip also allows you to do utilize it via Voice and/or Email as well. Even Biometrics and something called Silent Mobile Verification are in play - more on it in one of the next articles.
Feel free to check this out and try it yourself after you create a trial account (needless to say; a free one). Unless you already have one, in which case you simply go and play with it.
14