Telestax Blog

How to Secure Transactions with 2FA Using SMS

Communications service providers can enable secure transactions for enterprise clients with two-factor authentication (2FA) using SMS.

The most widely implemented solution for strong authentication is undoubtedly two-factor authentication (2FA), also known as one-time password (OTP). Part one of this three-part blog series provided the definition and rationale for enabling secure transactions with 2FA. Part two covers how 2FA works with SMS.

For this process, the user is prompted to insert their personal phone number into the landing page of an application or browser. Then, a unique token is generated and sent on the backend, followed by the user receiving a prompt to insert the token received for validation. This is often the case for banking transactions or other online transactions that require retro-compatibility with various kinds of communication devices.

To exemplify how this process can be implemented, the architecture has been divided into the following components:

  • Web Front End: simple HTML front end to manage input/output of number and token
  • Back End Script: node.js and JSON based to serve as middleware between FE and RC
  • Telestax Restcomm: SMS API to send the token to a specific number

1. Collecting The Number

On the front end, for example, here is a very simple HTML page with a form that collects the phone number below.

Behind this page, there is an HTTP Request to the node.js back end sending that number.

2. Generating The Token

The HTTP Request referred to in the last step is triggering a simple node.js script that generates a 6-digit token and temporarily stores it along with the phone number collected in a JSON file like the following:

3. Sending The Token

Continuing as part of the back end process, the token is sent over SMS to the number collected. The simplest way to do this is to send it over the network using the Restcomm SMS API:

If the SMS kick is successful, you should receive the following to your mobile:

4. Validating The Token

Enter the token (or code) into your application or browser. Behind is another call to the node.js script to collect the token inserted and to look at the JSON structure. If successful, the script will simply delete the entry and return to the Token-OK page. Unsuccessful attempts will return the Token-NOK page.

Keep in mind that all components were structured with the sole purpose of showing how you can use Restcomm SMS API as part of the 2FA/OTP process and therefore are jumping over several security enforcement steps to simplify this example.

One of the benefits of a full-stack CPaaS platform is that there are 1,000 different ways to create the same service, some more efficient than others.

Check out the third installment of the 2FA blog series: Secure Transactions with 2FA Using Voice, where you will learn how to use Restcomm voice capabilities to enforce strong authentication.

For more information or to request a demo, contact

Get awesome content in your inbox every week.

Give it a try. It only takes a click to unsubscribe.