Skip to contentSkip to navigationSkip to topbar
On this page

.NET Core C# Two-factor Authentication Quickstart


(warning)

Warning

As of November 2022, Twilio no longer provides support for Authy SMS/Voice-only customers. Customers who were also using Authy TOTP or Push prior to March 1, 2023 are still supported. The Authy API is now closed to new customers and will be fully deprecated in the future.

For new development, we encourage you to use the Verify v2 API.

Existing customers will not be impacted at this time until Authy API has reached End of Life. For more information about migration, see Migrating from Authy to Verify for SMS(link takes you to an external page).

Adding two-factor authentication to your application is the easiest way to increase security and trust in your product without unnecessarily burdening your users. This quickstart guides you through building an ASP.NET Core(link takes you to an external page), AngularJS(link takes you to an external page), and SQL Server(link takes you to an external page) application that restricts access to a URL. Four Authy API channels are demoed: SMS, Voice, Soft Tokens and Push Notifications.

Ready to protect your toy app's users from nefarious balaclava wearing hackers? Dive in!


Sign Into - or Sign Up For - a Twilio Account

sign-into---or-sign-up-for---a-twilio-account page anchor

Create a new Twilio account (you can sign up for a free Twilio trial), or sign into an existing Twilio account(link takes you to an external page).

Create a New Authy Application

create-a-new-authy-application page anchor

Once logged in, visit the Authy Console(link takes you to an external page). Click on the red 'Create New Application' (or big red plus ('+') if you already created one) to create a new Authy application then name it something memorable.

Authy create new application.

You'll automatically be transported to the Settings page next. Click the eyeball icon to reveal your Production API Key.

Account Security API Key.

Copy your Production API Key to a safe place, you will use it during application setup.


Setup Authy on Your Device

setup-authy-on-your-device page anchor

This two-factor authentication demos two channels which require an installed Authy app to test: Soft tokens and push authentications. While SMS and voice channels will work without the client, to try out all four authentication channels download and install the Authy app for Desktop or Mobile:


Clone and Setup the Application

clone-and-setup-the-application page anchor

Start by cloning our repository.(link takes you to an external page) Then, enter the directory and install dependencies:

1
git clone https://github.com/TwilioDevEd/account-security-csharp.git
2
cd account-security-csharp/src/AccountSecurity
3
dotnet restore

Next, open the file appsettings.json. There, edit the AuthyApiKey, pasting in the API Key from the above step (in the console), and save .

Add Your Application API Key

add-your-application-api-key page anchor

Enter the API Key from the Account Security console.

1
{
2
"Logging": {
3
"LogLevel": {
4
"Default": "Warning"
5
}
6
},
7
"AllowedHosts": "*",
8
"ConnectionStrings": {
9
"DefaultConnection": "Server=127.0.0.1;Database=account_security;Trusted_Connection=True;MultipleActiveResultSets=true;Integrated Security=False;User ID=sa;Password=yourStrong(!)Password"
10
},
11
"AuthyApiKey": "Your-Authy-Api-Key"
12
}

Install and Launch SQL Server

install-and-launch-sql-server page anchor

When a user registers with your application, a request is made to Twilio to add that user to your App, and a user_id is returned. In this demo, we'll store the returned user_id in an MSSQL database.
On Windows, you can install the free SQL Server Express:

On Linux or Mac, run it as a docker container:

1
docker run -e 'ACCEPT_EULA=Y' -e 'SA_PASSWORD=yourStrong(!)Password' \
2
3
-p 1433:1433 --name mssql -d microsoft/mssql-server-linux:latest
(warning)

Warning

Make sure your DefaultConnection connection string in appsettings.json is correct for your SQL Server installation. You may need to change the Server to localhost\\SQLEXPRESS if running MSSQL Server Express on Windows. Or, you may need to change the password if you selected a different one when starting your Docker container.

Run the database migrations:

dotnet ef database update -v

Once you have added your API Key, you are ready to run! Run the app with:

dotnet run --environment development

Try the .NET Core C# Two-Factor Demo

try-the-net-core-c-two-factor-demo page anchor

With your phone (optionally with the Authy client installed) nearby, open a new browser tab and navigate to https://localhost:5001/register/(link takes you to an external page)

Enter your information and invent a password, then hit 'Register'. Your information is passed to Twilio (you will be able to see your user immediately in the console(link takes you to an external page)), and the application is returned a user_id.

Now visit https://localhost:5001/login/(link takes you to an external page) and login. You'll be presented with a happy screen:

Token Verification Page.

If your phone has the Authy app installed, you can immediately enter a soft token from the client to Verify. Additionally, you can try a push authentication by pushing the labeled button.

If you do not have the Authy app installed, the SMS and voice channels will also work in providing a token. To try different channels, you can logout to start the process again.

Two Factor Authentication Channels

two-factor-authentication-channels page anchor
1
using System;
2
using System.Collections.Generic;
3
using System.Net;
4
using System.Net.Http;
5
using System.Threading.Tasks;
6
using AccountSecurity.Models;
7
using Microsoft.Extensions.Configuration;
8
using Microsoft.Extensions.Logging;
9
using Newtonsoft.Json;
10
using Newtonsoft.Json.Linq;
11
12
13
namespace AccountSecurity.Services
14
{
15
public interface IAuthy
16
{
17
Task<string> registerUserAsync(RegisterViewModel user);
18
Task<TokenVerificationResult> verifyTokenAsync(string authyId, string token);
19
Task<TokenVerificationResult> verifyPhoneTokenAsync(string phoneNumber, string countryCode, string token);
20
Task<string> sendSmsAsync(string authyId);
21
Task<string> phoneVerificationCallRequestAsync(string countryCode, string phoneNumber);
22
Task<string> phoneVerificationRequestAsync(string countryCode, string phoneNumber);
23
Task<string> createApprovalRequestAsync(string authyId);
24
Task<object> checkRequestStatusAsync(string onetouch_uuid);
25
}
26
27
public class Authy : IAuthy
28
{
29
private readonly IConfiguration Configuration;
30
private readonly IHttpClientFactory ClientFactory;
31
private readonly ILogger<Authy> logger;
32
private readonly HttpClient client;
33
34
public string message { get; private set; }
35
36
public Authy(IConfiguration config, IHttpClientFactory clientFactory, ILoggerFactory loggerFactory)
37
{
38
Configuration = config;
39
logger = loggerFactory.CreateLogger<Authy>();
40
41
ClientFactory = clientFactory;
42
client = ClientFactory.CreateClient();
43
client.BaseAddress = new Uri("https://api.authy.com");
44
client.DefaultRequestHeaders.Add("Accept", "application/json");
45
client.DefaultRequestHeaders.Add("user-agent", "Twilio Account Security C# Sample");
46
47
// Get Authy API Key from Configuration
48
client.DefaultRequestHeaders.Add("X-Authy-API-Key", Configuration["AuthyApiKey"]);
49
}
50
51
public async Task<string> registerUserAsync(RegisterViewModel user)
52
{
53
var userRegData = new Dictionary<string, string>() {
54
{ "email", user.Email },
55
{ "country_code", user.CountryCode },
56
{ "cellphone", user.PhoneNumber }
57
};
58
var userRegRequestData = new Dictionary<string, object>() { };
59
userRegRequestData.Add("user", userRegData);
60
var encodedContent = new FormUrlEncodedContent(userRegData);
61
62
var result = await client.PostAsJsonAsync("/protected/json/users/new", userRegRequestData);
63
64
logger.LogDebug(result.Content.ReadAsStringAsync().Result);
65
66
result.EnsureSuccessStatusCode();
67
68
var response = await result.Content.ReadAsAsync<Dictionary<string, object>>();
69
70
return JObject.FromObject(response["user"])["id"].ToString();
71
}
72
73
public async Task<TokenVerificationResult> verifyTokenAsync(string authyId, string token)
74
{
75
var result = await client.GetAsync($"/protected/json/verify/{token}/{authyId}");
76
77
logger.LogDebug(result.ToString());
78
logger.LogDebug(result.Content.ReadAsStringAsync().Result);
79
80
var message = await result.Content.ReadAsStringAsync();
81
82
if (result.StatusCode == HttpStatusCode.OK)
83
{
84
return new TokenVerificationResult(message);
85
}
86
87
return new TokenVerificationResult(message, false);
88
}
89
90
public async Task<TokenVerificationResult> verifyPhoneTokenAsync(string phoneNumber, string countryCode, string token)
91
{
92
var result = await client.GetAsync(
93
$"/protected/json/phones/verification/check?phone_number={phoneNumber}&country_code={countryCode}&verification_code={token}"
94
);
95
96
logger.LogDebug(result.ToString());
97
logger.LogDebug(result.Content.ReadAsStringAsync().Result);
98
99
var message = await result.Content.ReadAsStringAsync();
100
101
if (result.StatusCode == HttpStatusCode.OK)
102
{
103
return new TokenVerificationResult(message);
104
}
105
106
return new TokenVerificationResult(message, false);
107
}
108
109
public async Task<string> sendSmsAsync(string authyId)
110
{
111
var result = await client.GetAsync($"/protected/json/sms/{authyId}?force=true");
112
113
logger.LogDebug(result.ToString());
114
115
result.EnsureSuccessStatusCode();
116
117
return await result.Content.ReadAsStringAsync();
118
}
119
120
public async Task<string> phoneVerificationCallRequestAsync(string countryCode, string phoneNumber)
121
{
122
var result = await client.PostAsync(
123
$"/protected/json/phones/verification/start?via=call&country_code={countryCode}&phone_number={phoneNumber}",
124
null
125
);
126
127
var content = await result.Content.ReadAsStringAsync();
128
129
logger.LogDebug(result.ToString());
130
logger.LogDebug(content);
131
132
result.EnsureSuccessStatusCode();
133
134
return await result.Content.ReadAsStringAsync();
135
}
136
137
public async Task<string> phoneVerificationRequestAsync(string countryCode, string phoneNumber)
138
{
139
var result = await client.PostAsync(
140
$"/protected/json/phones/verification/start?via=sms&country_code={countryCode}&phone_number={phoneNumber}",
141
null
142
);
143
144
var content = await result.Content.ReadAsStringAsync();
145
146
logger.LogDebug(result.ToString());
147
logger.LogDebug(content);
148
149
result.EnsureSuccessStatusCode();
150
151
return await result.Content.ReadAsStringAsync();
152
}
153
154
public async Task<string> createApprovalRequestAsync(string authyId)
155
{
156
var requestData = new Dictionary<string, string>() {
157
{ "message", "OneTouch Approval Request" },
158
{ "details", "My Message Details" },
159
{ "seconds_to_expire", "300" }
160
};
161
162
var result = await client.PostAsJsonAsync(
163
$"/onetouch/json/users/{authyId}/approval_requests",
164
requestData
165
);
166
167
logger.LogDebug(result.ToString());
168
var str_content = await result.Content.ReadAsStringAsync();
169
logger.LogDebug(str_content);
170
171
result.EnsureSuccessStatusCode();
172
173
var content = await result.Content.ReadAsAsync<Dictionary<string, object>>();
174
var approval_request_data = (JObject)content["approval_request"];
175
176
return (string)approval_request_data["uuid"];
177
}
178
179
public async Task<object> checkRequestStatusAsync(string onetouch_uuid)
180
{
181
var result = await client.GetAsync($"/onetouch/json/approval_requests/{onetouch_uuid}");
182
logger.LogDebug(result.ToString());
183
var str_content = await result.Content.ReadAsStringAsync();
184
logger.LogDebug(str_content);
185
186
result.EnsureSuccessStatusCode();
187
188
return await result.Content.ReadAsAsync<object>();
189
}
190
}
191
192
public class TokenVerificationResult
193
{
194
public TokenVerificationResult(string message, bool succeeded = true)
195
{
196
this.Message = message;
197
this.Succeeded = succeeded;
198
}
199
200
public bool Succeeded { get; set; }
201
public string Message { get; set; }
202
}
203
}

And there you go, two-factor authentication is on and your .NET Core C# App is protected!


Now that you are keeping the hackers out of this demo app using two-factor authentication, you can find all of the detailed descriptions for options and API calls in our Authy API Reference. If you're also building a registration flow, also check out our Twilio Verify product and the Verification Quickstart which uses this codebase.

For additional guides and tutorials on account security and other products, in C# and in other languages, take a look at the Docs.

Need some help?

Terms of service

Copyright © 2024 Twilio Inc.