Update To verify numbers even easier, check out our Verification SDK

More and more websites and apps rely on knowing your phone number and, in many cases, using that number for two-factor authentication (2FA). (More info about 2FA here).

In this tutorial, you will learn how to build your own Ruby on Rails two-factor authentication system in about 30 minutes. In part 2, you will implement it in an Android app, and it part 3, you will implement it as part of the login process in a Rails app.

The full sample code can be downloaded here.

Prerequisites Prerequisites

Good understanding of Ruby on Rails and REST APIs A Sinch account

Create a project Create a project

Create a new Rails project and a verification controller:

$ rails new YourProjectName --database=postgresql $ cd YourProjectName $ rails generate controller Verifications

I chose to use a postgres database for my app to make hosting on Heroku easy, since it does not support the default sql database.

Set up routes Set up routes

Add to routes.rb:

post '/generate' => 'verifications#generate_code' post '/verify' => 'verifications#verify_code'

Set up database Set up database

Create a table to store pairs of phone numbers and OTP codes:

$ rails generate migration CreateVerifications phone_number:string code:string $ rake db:create $ rake db:migrate

Then, create the file app/models/verification.rb with the following:

class Verification < ActiveRecord::Base validates_presence_of :phone_number, :code end

Add sinch_sms gem Add sinch_sms gem

You’ll want to use Sinch to send SMS with the one-time password (OTP) codes. Add gem 'sinch_sms' to your gem file and then bundle install.

Generating and verifying OTP codes Generating and verifying OTP codes

In app/controllers/verifications_controller.rb generate_code , you

will:

Generate a random code Create a new object with phone number Send an SMS with the code

In verify_code , you will:

See if there is a verification entry that matches the phone number and code If yes, destroy the entry and return {“verified”:true} If no, return {“verified”:false}

class VerificationsController < ApplicationController skip_before_filter :verify_authenticity_token def generate_code phone_number = params["phone_number"] code = Random.rand(10000..99999).to_s Verification.create(phone_number: phone_number, code: code) SinchSms.send('YOUR_APP_KEY', 'YOUR_APP_SECRET', "Your code is #{code}", phone_number) render status: 200, nothing: true end def verify_code phone_number = params["phone_number"] code = params["code"] verification = Verification.where(phone_number: phone_number, code: code).first if verification verification.destroy render status: 200, json: {verified: true}.to_json else render status: 200, json: {verified: false}.to_json end end end

In a production application, you would most likely use Sinch to verify the format of a number before sending.

Also, one thing you might want to add in a production app is the functionality to wait to return until Sinch knows the message has been delivered to the operator by using:

SinchSms.status(key, secret, message_id);

Testing with Postman Testing with Postman

I like to use Postman to test out my REST APIs. You can get it here.

Use $ rails s to start a local Rails server and take note of the port. In my case it was 3000.

In Postman, generate a code:



See the code arrive in an SMS:



Then verify the code:



Hosting Hosting

If you’re going to follow part 2 of this tutorial, you will need to host this backend somewhere. I chose Heroku, since it’s easy to host a Rails app there and it has a huge free tier. After you’ve created an account, follow the steps on the site to deploy your app. Make sure to follow through the section on migrating your database.

Edit on GitHub