Two Factor Authentication (WhatsApp)
In this scenario, we'll explore the process of verifying a user's identity and authorization before allowing that user to gain access to their account, send communications, or request data from a secured network, system, or application through the WhatsApp delivery channel. That is, the goal of this use case is to explore the process of how to
to implement the two-factor authentication via WhatsApp.
Before beginning, it is essential to take into account the following prerequisites.
-
Get API Key: From the Digital Engagement Platform, copy the API Key located in Preferences section > API tab.
-
For WhatsApp, you need to:
Get a Facebook Business Manager ID.
Create a WhatsApp Business Account ID (WABA).
Create a Sender.
-
Have created a WhatsApp Authentication Template. If you haven't done so already, we'll guide you through creating a new one in this example.
The steps to set up Two Factor Authentication through WhatsApp are the following:
- Create WhatsApp Authentication Template.
- Create a Code Generator
- Send Verification Code to the end user (recipient)
- Validate Verification Code
Create WhatsApp Authentication Template.
In this step we are going to learn how to create an authentication template with an OTP button.
The authentication template consists of the following content:
-
Fixed preset text:
The Body message is defined by META. That is, the body is fixed ->
“<VERIFICATION_CODE> is your verification code”.Next to the Body message, it is defined a security recommendation message (Security disclaimer message) as a boolean (optional) by META:
“For your security, do not share this code”.From the Footer, you are able to add an Expiration warning message (optional):
“This code expires in <NUM_MINUTES> minutes”. -
OTP button: It is mandatory to add an OTP button. Either a copy code button. A copy code button copies the one-time password or code to the user's clipboard.
Let’s replicate the next example:
NOTE
The
“982012”code displayed in the example will differ from the one sent to the end user because the next step is to generate that code. Additionally, the codes are generated randomly.
HTTP Request: POST /whatsapp/templates
Before beginning, in this API call you need to provide the WhatsApp Business Account ID (WABA) or the unique identifier of the Sender.
WARNING
Enter only one of the required parameters (
“wabaId”or“senderId”), not both.In this example we are going to enter the WABA Id.
The following request body includes a body, footer and OTP Button.
curl --request POST \
--url 'https://elastic.messangi.me/balerion/v2/whatsapp/templates/?wabaId=<WABA_ID>' \
--header 'accept: application/json' \
--header 'authorization: Bearer <YOUR_API_KEY>' \
--header 'content-type: application/json' \
--data '
{
"name": "elipackage_authentication",
"category": "AUTHENTICATION",
"templateLanguages": [
{
"language": "en",
"components": [
{
"type": "BODY",
"securityRecomendation": true
},
{
"type": "FOOTER",
"expirationMinutes": 15
},
{
"type": "BUTTONS",
"buttons": [
{
"type": "OTP",
"otp_type": "COPY_CODE",
"text": "Copy Code"
}
]
}
]
}
]
}'
Request Body Parameters
| Parameter | Required | Description |
|---|---|---|
| name | Yes | Name of the template. The name of each template you create cannot be the same. |
| category | Yes | Type of message template. Template category.
|
| templateLanguages | Yes | Array of languages objects containing the language that template may be rendered in and the components. |
| templateLanguages.language | Yes | Language of the message template. Currently the API supports 3 Languages: English, Spanish and Portuguese. Required if you want to send templates in languages other than English. English: Spanish: Portuguese: |
| templateLanguages.components | Yes | The parts of the message template. Array of components objects containing the different types of options you can include in the message. |
| templateLanguages.components.type | Yes | Type of component of the message template you want to send. There are three optional main template components you can include in the template:
|
| templateLanguages.components.securityRecomendation | No | Only applies to the Set |
| templateLanguages.components.expirationMinutes | No | Only applies to the Indicates the number of minutes the password or code is valid. If omitted, the code expiration warning will not be displayed in the delivered message. Minimum |
| templateLanguages.components.buttons | Yes | Only applies to the Array of Buttons type options you can include to the template. |
| templateLanguages.components.buttons.type | Yes | Only applies to the Buttons Type option. The buttons object contains the following option:
|
| templateLanguages.components.buttons.otp_type | Yes | Only applies to the Set the |
| templateLanguages.components.buttons.text | Yes | Only applies to the Copy code button text. Maximum 25 characters. |
{
"meta": {
"timestamp": 1707177081141,
"transactionId": "395b2ac9-1046"
},
"errors": {
"reason": "error Meta template",
"details": {}
},
"data": {
"wabaId": 11234567232528,
"name": "elipackage_authentication",
"category": "AUTHENTICATION",
"templateLanguages": [
{
"id": "37587656784131",
"language": "en",
"components": [
{
"type": "BODY",
"securityRecomendation": true
},
{
"type": "FOOTER",
"expirationMinutes": 15
},
{
"type": "BUTTONS",
"buttons": [
{
"type": "OTP",
"otp_type": "COPY_CODE",
"text": "Copy Code"
}
]
}
]
}
]
}
}
- Copy the request body and paste it in your terminal command.
- Press Enter key
- From the response body, copy the unique identifier of the WhatsApp authentication template (
“data.templateLanguages.id”) parameter.
NOTE
Upon the creation of the authentication template, META approval is required.
Create a Code Generator
Once the WhatsApp Authentication Template has been created and approved by META, the next step is to create the code generator.
Code Generator is a security feature for your Application used with two-factor authentication. You can add an authentication factor linked to a channel (WhatsApp). When a user signs up or logs into your application a numeric code is sent to their mobile device either via WhatsApp. For this reason, the second step is to create the code generator and configure the code that will be sent to the end user.
When you create a Code Generator for WhatsApp, the request body contains the following data:
HTTP Request: POST /v1/2fa
curl -X 'POST' \
'https://elastic.messangi.me/eyriesgate/v1/2fa' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <YOUR_API_KEY>' \
-H 'Content-Type: application/json' \
-d '{
"codeLength": 6,
"expirationMinutes": 15,
"channels": [
{
"type": "WHATSAPP",
"address": "584111111111",
"templateId": "3752812345987345",
"placeholder": "code"
}
]
}'
Request Body Parameters
| Parameter | Required | Description |
|---|---|---|
| codeLength | Yes | Security code length. The security codes used for two-factor authentication are a minimum of 6 digits. |
| expirationMinutes | Yes | Security code expiration time in minutes. |
| channels | Yes | Contains the information of the channels to be used for the code delivery. Only ONE channel can be chosen when generating a code. |
| channels.type | Yes | Define the channel from where the code will be sent. Currently supports independent channels for 2FA: For this example we set the |
| channels.address | Yes | Phone number of the sender. Phone number provided during the WABA account setup will be used as the sender of the notification message. Only accepts numeric characters. Do not include the "+" sign.> type. |
| channels.templateId | Yes | Unique identifier of the WhatsApp Authentication Template. |
| channels.placeholder | Yes | The Body message (defined by META) contains a placeholder ( |
{
"meta": {
"timestamp": 1707180413315,
"transactionId": "a6a16b0a-b830"
},
"data": {
"id": 250,
"codeLength": 6,
"expirationMinutes": 15,
"channels": [
{
"placeholder": "code",
"address": "584111111111",
"templateId": "3752812345987345",
"type": "WHATSAPP"
}
]
}
}
- Copy the request body and paste it in your terminal command.
- Press Enter key
- From the response body, copy the unique identifier of the code generator (
“data.id”) parameter.
Send Verification Code
Once the code generator has been created, the next step is to send the verification code to the end user.
HTTP Request: POST /v1/2fa/{id}/codes
In this API call you need to provide the unique identifier (“data.id”) of the code generator previously created.
curl -X 'POST' \
'https://elastic.messangi.me/eyriesgate/v1/2fa/<CODE_GENERATOR_ID>/codes' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <YOUR_API_KEY>' \
-H 'Content-Type: application/json' \
-d '{
"channel": "WHATSAPP",
"receiver": "+525500000000"
}'
Request Body Parameters
| Parameter | Required | Description |
|---|---|---|
| channel | Yes | Define the channel from where the code will be sent. Currently supports independent channels for 2FA: For this example we set the |
| receiver | Yes | Determines the destination phone number for your authentication template and verification code. Numbers are specified in E.164 format → (‘+’ and a country code). |
{
"meta": {
"timestamp": 1707183277726,
"transactionId": "7942859d-45d2"
},
"data": {
"requestId": "c12345616-fee2-f345hgf-fgh123"
}
}
- Copy the request body and paste it in your terminal command.
- Press Enter key.
- From the response body, copy the unique identifier of the two factor authentication request (
“data.requestId”) parameter.
Validate Verification Code
Once the code has been generated and sent to the user via WhatsApp, you proceed to validate the user.
When the user enters the security code to your application, you can carry out the following actions :
- Verify the security code to validate the user.
- Cancel the security code.
- Check the Status of the security code.
In this example, we'll solely verify the security code.
HTTP Request: PATCH /v1/2fa/{id}/codes
In this API call you need to provide the unique identifier (“data.id”) of the code generator and the unique identifier (“data.requestId”) of the request previously created.
Prior to validating the user, it's necessary to initially verify the status of the verification code.
curl -X 'PATCH' \
'https://elastic.messangi.me/eyriesgate/v1/2fa/<CODE_GENERATOR_ID>/codes' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <YOUR_API_KEY>' \
-H 'Content-Type: application/json' \
-d '{
"action": "status",
"requestId": "<REQUEST_ID>"
}'
Request Body Parameters
| Parameter | Required | Description |
|---|---|---|
| action | Yes | Apply one the following actions to the verification code:
For this example, we set the |
| requestId | Yes | Unique identifier of the two factor authentication request. That is, this is the ID of the verification code that has to be verified. |
{
"meta": {
"timestamp": 1707243156412,
"transactionId": "6ae15fa5-1e97"
},
"data": {
"id": 534,
"userID": "+525500000000",
"token": "151820",
"requestID": "c12345616-fee2-f345hgf-fgh123",
"expirationDate": "2024-02-06T01:44:37.020949",
"validationDate": null,
"validationChannel": "WHATSAPP",
"status": "PENDING"
}
}
Response Body Parameters
| Parameter | Description |
|---|---|
| data | Unique identifier of the status API call. |
| data.userID | Destination phone number for your authentication template and verification code. Numbers are specified in E.164 format → (‘+’ and a country code). |
| data.token | Verification code that was sent to the end user. |
| data.expirationDate | |
| data.validationDate | Date on which the verification code has been valid. |
| data.validationChannel | Channel from where the verification code was sent. |
| data.status | Status of the verification code.
|
- Copy the request body and paste it in your terminal command.
- Press Enter key.
- From the response body, copy the verification code (
“data.token”) parameter.
Because the verification code is in “PENDING” status, we proceed to validate the code.
NOTE
In this API Call, the user needs to enter their verification code to valid the code.
We acquired that code from the previous request to provide you with a clearer understanding of its status and validation.
curl -X 'PATCH' \
'https://elastic.messangi.me/eyriesgate/v1/2fa/<CODE_GENERATOR_ID>/codes' \
-H 'accept: application/json' \
-H 'Authorization: Bearer <YOUR_API_KEY>' \
-H 'Content-Type: application/json' \
-d '{
"action": "verify",
"requestId": "c12345616-fee2-f345hgf-fgh123",
"code": "151820"
}'
Request Body Parameters
| Parameter | Required | Description |
|---|---|---|
| action | Yes | Apply one the following actions to the verification code:
For this example, we set the |
| requestId | Yes | Unique identifier of the two factor authentication request. That is, this is the ID of the verification code that has to be verified. |
| code | Yes | Verification code that has to be verified. |
{
"meta": {
"timestamp": 1707252519688,
"transactionId": "424cd21f-a190",
"explain": "valid code"
}
}
Response Body Parameters
| Parameter | Description |
|---|---|
| explain | Valid verification code. |
Updated 3 months ago