Telestax Blog

How to Secure Transactions Using 2FA with Voice

Communications service providers can enable secure transactions for enterprise clients using two-factor authentication (2FA) with voice.

In this, the third and final part of the series, we will examine how to set up two-factor authentication or 2FA with voice using the Restcomm voice API. This method of strong authentication is often referred to as flash call verification.

The most widely implemented solution for strong authentication is undoubtedly 2FA also known as one-time password (OTP). Part one of this three-part blog series provided the definition and rationale for enabling secure transactions with 2FA. Part two covers how 2FA works with SMS

Using Flash Call Verification to Validate or Authenticate Your Mobile App

Flash call verification is a validation process which shares the same purpose as OTP, i.e. validate the user, access, or action based on its personal phone number. The difference resides in the way the user interacts with the validation system. While using OTP requires the user to receive and validate a token, flash call tries to minimize user interaction by simply triggering a voice call to a phone number. That call is then detected by a mobile app that validates access by its origin and duration.

To exemplify how this process can be implemented, we will divide the architecture into the following components:

  • Web Front End: simple HTML front end to manage the input of a number to validate
  • Restcomm Voice API: Restcomm voice API to trigger the call
  • Restcomm RCML: Restcomm Markup Language script (XML) with a simple Text-to-Speech (TTS) instruction just in case the user actually answers the call


1. Collecting The Number

Similar to the previous blog entry on the SMS 2FA/OTP, on the frontend, here is a very simple HTML page with a form that collects the phone number below.

Opposite to the SMS 2FA/OTP implementation in this example, the Restcomm voice API is placed directly as part of the HTML form:

Restcomm calls the number indicated in the form with 447418340465 as the origin number (a number that has been registered to the Restcomm account) and drops after 10 seconds if the user does not pick up the phone.

A URL has been added to the RCML app. This causes a voice application to be triggered in case the user answers the incoming call within the 10 seconds of ringing. Keep in mind that in a real use case the mobile app would be digesting the incoming call and so this step may not be necessary.

The TTS instructions within the RCML app would have the following:

2. Making The Call

After typing your phone number on the previous page, all you have to do is click on the Verify button. This triggers the API described previously and finally places the call.

Again, please keep in mind that all components were structured with the sole purpose of demonstrating how you can use the Restcomm voice API as part of the flash call process and therefore are jumping over several security enforcement steps to simplify this example. It is not good practice to place your Restcomm credentials directly on the webpage, but instead, secure them behind some Javascript or PHP application.

You now have a better understanding of how communications service providers can enable secure transactions for enterprise clients using 2FA with voice. To learn more, contact



Get awesome content in your inbox every week.

Give it a try. It only takes a click to unsubscribe.