Verify TOTP Technical Overview

The data model does not require any PII (such as phone or email).

Expand image

• Service: an organization or environment (e.g. stage, prod). Contains configurations for all verification methods available through the Verify platform (SMS OTP, Voice OTP, Email OTP, Push Verification, TOTP). A Twilio [sub]account can have multiple Services. Each Service contains multiple Entities that are not shared across Services.
• Entity: a user or other identity that needs verification. An Entity can contain multiple Factors.
• Factor: a verification method, which involves an exchange of secrets via a communication channel. For factor_type totp, which follows the RFC-6238 algorithm, the Factor contains the seed (Binding.Secret) that is used to generate the TOTP. A Factor contains multiple Challenges.
• Challenge: a single verification attempt of an Entity using a Factor. A single Factor has multiple Challenges.

Verify TOTP involves two main sequences that are shown in the diagrams below:

1. Register a user by generating a unique TOTP seed and verify that they've correctly added it to their Authenticator App for generating TOTP codes.
2. Verify a user by verifying that the TOTP code they've provided matches the TOTP code generated by the unique TOTP seed.

Check out the quickstart for step-by-step instructions.