Verify Service Configuration

To be able to send 2FA codes using SMS with Twilio, it’s necessary to configure the verify service at this URL: https://www.twilio.com/console/verify/services.

You need to create a new service, assign a name, and be sure that the SMS delivery channel is active (it’s recommended to deactivate other channels that you’re not going to use).

Save the Service SID and you’re ready to continue.

Now, go to your console at https://www.twilio.com/console, copy the Account SID and the Auth Token, and paste them into the .env.development file in your API project as shown below:

TWILIO_ACCOUNT_SID=your_twilio_acount_sid
TWILIO_AUTH_TOKEN=your_twilio_auth_token
TWILIO_SERVICE_SID=your_twilio_service_sid

And you’re ready to go! Your API can now do 2FA with Twilio's Verify Service.

Verify Protection

Geographic Permissions

You should only allow code messaging to countries you are planning to support. For that, you can go to https://console.twilio.com/us1/develop/verify/geopermissions, or change the setting on Twilio's dashboard > Verify tab > Geo Permissions tab.

And change the validCountryCodes.ts file's array in Linker's API:

Also, change the validCountryCodes.ts file's array:

export const validCountryCodes = ['US'];

Disable Unused Channels

If you're not planning to use another channel than SMS, you should disable all other channels in Twilio at https://www.twilio.com/console/verify/services/. Select the service we just created, and turn off the switches that are not needed.

Also, you need to only allow the API to use the SMS channel in the send-code.dto.ts file:

@IsIn(['sms'])

Rate Limit

By default, there is a rate limit bucket configured with a maximum of 4 requests in an interval of 60 seconds by the user's IP address. You can change that in the twilio.service.ts file:

this.bucketConfig = {
  max: 4,
  interval: 60,
};

If you want to learn more about protecting the verify service, click here.