IDG Contributor Network: Getting started with Twilio account security using Node.js and MongoDB


One of the first considerations for developers building mobile and web apps is how to handle account security, namely how they’re going to protect and authenticate their users and their data. The days where a username and password was sufficient to protect accounts are long behind us, and we’re reminded of this nearly every day in the form of large-scale breaches, high-profile account takeovers, or massive digital heists.

Adding stronger account security such as to your app is one of the simplest ways to increase security, protect users from cyberattacks, and build trust in your product, all while maintaining a smooth user experience.

This quick-start guides you through building a , , and application that restricts access to a URL. I’ll be demonstrating four methods of delivering 2FA: SMS, Voice, Soft Tokens and Push Notifications.

As with my previous tutorials, the first step is to create a if you haven’t already. If you have an existing Twilio account, simply sign in.

. Click the red plus (+) button to create a new Account Security application, and name it something memorable. You’ll automatically be transported to the Settings page next. Click the eyeball icon to reveal your Production API Key.



Copy your Production API Key to a safe place; you will use it during application setup.

Install and launch MongoDB

When a user registers with your application, a request is made to Twilio to add that user to your App, and a user_idis returned. In this demo, we’ll store the returned user_id in a MongoDB database.

Instructions for installing MongoDB vary by platform. Follow the instructions you need to install locally.

, then enter the directory. Install all of the necessary node modules:

npm install

Next, open the file .env.example. There, edit the ACCOUNT_SECURITY_API_KEY, pasting in the API Key from the above step (in the console), and save the file as .env.

Add your application API key

Enter the API Key from the Account Security console and optionally change the port.

export PORT=1337

Once you have added your API Key, you are ready to run! Launch Node with:


If MongoDB is running and your API Key is correct, you should get a message your new app is running!

Try the Node.js two-factor demo

With your phone (optionally with the Authy client installed) nearby, open a new browser tab and navigate to .

Enter your information and create a password, then press Register. Your information is passed to Twilio (you will be able to see your user ), and the application is returned as user_id.

Now visit and log in. You’ll be presented with the following screen:


If your phone has the Authy Client installed, you can immediately enter a soft token from the client to Verify. Additionally, you can try a push notification simply by pushing the labeled button.

If you do not have Authy installed, the SMS and Voice channels will also work in providing a token. To try different channels, you can log out to start the process again.

Try out more channels for 2FA

Twilio’s 2FA supports time-based one time password (TOTP) delivery over four channels: SMS and Voice for all devices, as well as Soft Token and Push Notifications for users of the or our Authentication SDK.

I’d like to highlight the Controller so you can see just how to use some of the authentication channels. In , I demonstrate how to send a push notification to a user with the Authy client installed (push notifications are also available if you integrate our mobile SDK).

Using Push Notifications is one of the most reliable ways to authenticate users and their requests. Because you can simply send an approve/deny request via Push, you can even add extra security to high-risk transactions such as depositing or withdrawing large sums, password requests, and the addition of other users to the same account.

code table 1Twilio
code table 2Twilio

I also highlight the ability to send TOTPs through other channels. By default, when requesting a Password via the Voice or SMS channel, Twilio will automatically upgrade your request to a Push Notification if possible. Here’s how to request a TOTP over Voice:

code table 3Twilio

Note again, by default, all the requests for authentication you send are forward compatible with push notifications. This means that unless you override the logic to force voice or SMS delivery (through the API or the ), users with the Authy Client will receive a Push Notification request on their device instead of the original channel.

And with that, 2FA is turned on and your Node.js app is protected!

What’s next?

Now that you’re familiar with how to implement 2FA in this sample application, you can find all of the detailed descriptions for options and API calls in Twilio’s . If you’re building a registration flow, also check out the  and .

For additional guides and tutorials on account security and other products, , or check out Twilio’s past posts in our Enterprise Developer Education column:

This article is published as part of the IDG Contributor Network.