Verify SMS Overview
SMS is the most popular channel for phone number verification and two-factor authentication (2FA) because most people can receive text messages and onboarding is seamless.
SMS 2FA is effective. Studies show it blocks the majority of automated attacks, bulk phishing attempts, and targeted attacks.
Learn how to send one-time passcodes (OTPs) via SMS with Twilio Verify SMS.
The following example shows how to start a verification with SMS:
1// Download the helper library from https://www.twilio.com/docs/node/install2const twilio = require("twilio"); // Or, for ESM: import twilio from "twilio";34// Find your Account SID and Auth Token at twilio.com/console5// and set the environment variables. See http://twil.io/secure6const accountSid = process.env.TWILIO_ACCOUNT_SID;7const authToken = process.env.TWILIO_AUTH_TOKEN;8const client = twilio(accountSid, authToken);910async function createVerification() {11const verification = await client.verify.v212.services("VAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa")13.verifications.create({14channel: "sms",15to: "+15017122661",16});1718console.log(verification.sid);19}2021createVerification();
Response
1{2"sid": "VEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",3"service_sid": "VAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",4"account_sid": "ACaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",5"to": "+15017122661",6"channel": "sms",7"status": "pending",8"valid": false,9"date_created": "2015-07-30T20:00:00Z",10"date_updated": "2015-07-30T20:00:00Z",11"lookup": {},12"amount": null,13"payee": null,14"send_code_attempts": [15{16"time": "2015-07-30T20:00:00Z",17"channel": "SMS",18"attempt_sid": "VLaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"19}20],21"sna": null,22"url": "https://verify.twilio.com/v2/Services/VAaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa/Verifications/VEaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"23}
After you start a verification with SMS, use the Verification Check API to confirm the code the user provides.
The following resources will help you get started with SMS verification:
Before you send an OTP message through Verify, you must obtain the recipient's opt-in consent. Treat any recipient who has not opted in as opted out by default. You must store evidence of each consent event and provide it to Twilio on request.
For example, include a notice in your application's sign-up or 2FA flow. The notice should state that the user will receive an OTP message at the phone number they provide. Then record the timestamp of the user's confirmation.
As a general best practice and requirement for sending messages to the United States, display the following information in your app's user interface where users request the OTP:
- Complete terms and conditions or link to terms and conditions
- Privacy policy or link to privacy policy
- "Message and data rates may apply" disclosure
This information is required by the CTIA Short Code Handbook for two-factor authentication. Verify SMS also follows the Twilio Messaging Policy. See the policy for more detailed information on consent and opt-in rules.
The following resources provide more information about SMS verification and security:
- SMS Verification: What It Is & How It Works
- Five reasons SMS 2FA isn't going away
- What is SMS pumping?
- Verify Fraud Guard: A feature that prevents SMS-related fraud on Verify by blocking the prefix of the destination of suspected fraud