How to build a one-time passcode protected conference line with Twilio Verify and Python
You can protect your conference call with a static passcode, and while that offers more security than nothing at all, passcodes can be guessed or leaked -- especially if they're reused over time. You can also verify the caller ID of the person calling in, but spoofing phone numbers is still easy and prevalent.
One time passcodes (OTP) offer additional security by ensuring that a user has access to the phone and number they claim to own. By sending an OTP to the user's number or email you can have confidence the person joining your call is who they say they are.
The code in this post will secure your conference line in two ways:
- Check that the person calling is a known participant
- Prevent anyone from spoofing a phone number in order to join the call with an OTP
Follow the tutorial below or check out the completed code on my GitHub.
Prerequisites for setting up protected conference calls in Python
- A Twilio account. Get an extra $10 when you upgrade using this link
- A Twilio phone number, this will be your conference line. Get one here
- The Twilio Python helper library. Follow instructions to install it here
- The Twilio CLI. Follow instructions to install it here
- A Verify Service. Create one in the console here
- pip and virtualenv to handle the Python application dependencies
Here’s a handy step-by-step guide to setting up Python, pip, virtualenv and Flask.
Create a basic conference call
Create a new folder to store your code files, I called mine otp-conference
. Run the following commands in your terminal to set up a virtual environment and install our dependencies:
Create a settings.py
file to store our credentials and update the values with your account credentials and Verify Service SID:
Next, create a file called app.py
and add the following code. This will ask the caller to input a 6 digit code and then connect them to a conference call -- but it doesn't actually verify those 6 digits yet.
Start your flask application by running the following command in your terminal:
You should see the server start on port 5000
Connect your Python code to your Twilio phone number by running the following command in a new terminal window. This will automatically create an encrypted tunnel using ngrok so Twilio can talk to the code running on your local machine. Make sure to update the number in the command to the number you purchased.
Test your unprotected conference line
Call your conference number—make sure you updated the MODERATOR
number in the settings.py
file to be your own—you should hear a greeting ask you for a 6 digit code. You can enter anything right now, we're not testing the passcode yet. After you enter the code you should hear some hold music.
Protect your conference call with a one time passcode (OTP)
This is already useful - conference lines are a great way to connect with customers, colleagues and friends in this time of social distancing. You may want additional safeguards to make sure you're talking to the right person.
In app.py
, create a new function called start_verification
:
This checks to make sure the participant is on your list of known participants. Then it verifies that the caller has access to the phone number they're calling from by sending a one time passcode with the Verify API. This helps guard against phone number spoofing.
Alternatively, you could look up the caller in your database and send a verification token to the email on file. You could also ask the user to input their account ID or another identifier to look up their phone number that way.
Add another function called check_verification
:
This uses the Verify API to make sure the one time passcode is correct.
Now replace the # TODO - START VERIFICATION
with the following code to call our start_verification
function:
Head down to the /gather
route and replace the # TODO - CHECK VERIFICATION
and return join_conference(caller, resp)
lines with the following code to call our check_verification
function:
Restart your Python app with FLASK RUN
(or if you're running Flask in debug mode it will reload automatically), make sure the CLI command is still running in the background, and try calling your conference line again. You should get a text with an OTP.
What's next after building an OTP protected conference line?
You can use Verify to protect more than conference calls. Protect logins, payments, and more with the easy to use and integrate API. Here are a few other ideas to protect and secure the services you're building in Python:
- Expand your OTP delivery channels with email
- Sanitize phone numbers before sending mass alerts
- Build login phone verification
Sounds like a lot? Maybe a static passcode is what you need for now. Security is all about balancing usability and friction. Static passcodes can be a good starting point.
This tutorial builds on two other tutorials that live in the Twilio docs, check these out for more information on working with Conference calls and Gather-ing input:
Check out the completed code on GitHub. Questions? Find me on Twitter @kelleyrobinson. I can't wait to see what you protect!
Related Posts
Related Resources
Twilio Docs
From APIs to SDKs to sample apps
API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
Resource Center
The latest ebooks, industry reports, and webinars
Learn from customer engagement experts to improve your own communication.
Ahoy
Twilio's developer community hub
Best practices, code samples, and inspiration to build communications and digital engagement experiences.