Two Factor Authentication (WhatsApp)

In this scenario, we'll explore the process of verifying a user's identity and authorization before allowing that user to gain access to their account, send communications, or request data from a secured network, system, or application through the WhatsApp delivery channel. That is, the goal of this use case is to explore the process of how to
to implement the two-factor authentication via WhatsApp.

Before beginning, it is essential to take into account the following prerequisites.

  • Get API Key: From the Digital Engagement Platform, copy the API Key located in Preferences section > API tab.

  • For WhatsApp, you need to:

    Get a Facebook Business Manager ID.

    Create a WhatsApp Business Account ID (WABA).

    Create a Sender.

  • Have created a WhatsApp Authentication Template. If you haven't done so already, we'll guide you through creating a new one in this example.

The steps to set up Two Factor Authentication through WhatsApp are the following:

  • Create WhatsApp Authentication Template.
  • Create a Code Generator
  • Send Verification Code to the end user (recipient)
  • Validate Verification Code

Create WhatsApp Authentication Template.

In this step we are going to learn how to create an authentication template with an OTP button.

The authentication template consists of the following content:

  • Fixed preset text:

    The Body message is defined by META. That is, the body is fixed -> “<VERIFICATION_CODE> is your verification code”.

    Next to the Body message, it is defined a security recommendation message (Security disclaimer message) as a boolean (optional) by META: “For your security, do not share this code”.

    From the Footer, you are able to add an Expiration warning message (optional): “This code expires in <NUM_MINUTES> minutes”.

  • OTP button: It is mandatory to add an OTP button. Either a copy code button. A copy code button copies the one-time password or code to the user's clipboard.

Let’s replicate the next example:

📘

NOTE

The “982012” code displayed in the example will differ from the one sent to the end user because the next step is to generate that code. Additionally, the codes are generated randomly.

HTTP Request: POST /whatsapp/templates

Before beginning, in this API call you need to provide the WhatsApp Business Account ID (WABA) or the unique identifier of the Sender.

🚧

WARNING

Enter only one of the required parameters (“wabaId” or “senderId”), not both.

In this example we are going to enter the WABA Id.

The following request body includes a body, footer and OTP Button.

curl --request POST \
     --url 'https://elastic.messangi.me/balerion/v2/whatsapp/templates/?wabaId=<WABA_ID>' \
     --header 'accept: application/json' \
     --header 'authorization: Bearer <YOUR_API_KEY>' \
     --header 'content-type: application/json' \
     --data '
{
  "name": "elipackage_authentication",
  "category": "AUTHENTICATION",
  "templateLanguages": [
    {
      "language": "en",
      "components": [
        {
          "type": "BODY",
          "securityRecomendation": true
        },
        {
          "type": "FOOTER",
          "expirationMinutes": 15
        },
        {
          "type": "BUTTONS",
          "buttons": [
            {
              "type": "OTP",
              "otp_type": "COPY_CODE",
              "text": "Copy Code"
            }
          ]
        }
      ]
    }
  ]
}'

Request Body Parameters

Parameter Required Description
name Yes

Name of the template.

The name of each template you create cannot be the same.

category Yes

Type of message template.

Template category.

  • "AUTHENTICATION": Send codes that allow your customers to securely access their accounts.

templateLanguages Yes

Array of languages objects containing the language that template may be rendered in and the components.

templateLanguages.language Yes

Language of the message template.

Currently the API supports 3 Languages: English, Spanish and Portuguese.

Required if you want to send templates in languages other than English.

English: "en", "en_GB", "en_US"

Spanish: "es", "es_AR", "es_ES"

Portuguese: "pt_BR", "pt_PT"

templateLanguages.components Yes

The parts of the message template.

Array of components objects containing the different types of options you can include in the message.

templateLanguages.components.type Yes

Type of component of the message template you want to send.

There are three optional main template components you can include in the template:

"BODY": Content of the message template.

"FOOTER" Short line of text to the bottom of your message.

"BUTTONS" Button type located at the end of the message.

templateLanguages.components.securityRecomendation No

Only applies to the "BODY" type.

Set true if you want the template to include the string: "For your security, do not share this code." Set false to exclude the string.

templateLanguages.components.expirationMinutes No

Only applies to the "FOOTER" type.

Indicates the number of minutes the password or code is valid. If omitted, the code expiration warning will not be displayed in the delivered message. Minimum 1, maximum 90.

templateLanguages.components.buttons Yes

Only applies to the "BUTTONS" type.

Array of Buttons type options you can include to the template.

templateLanguages.components.buttons.type Yes

Only applies to the "BUTTONS" type.

Buttons Type option.

The buttons object contains the following option:

"OTP": one-time password button (OTP) to deliver the password or code.

templateLanguages.components.buttons.otp_type Yes

Only applies to the "BUTTONS" type.

Set the "COPY_CODE" value if you want the template to use a copy code button.

templateLanguages.components.buttons.text Yes

Only applies to the "BUTTONS" type.

Copy code button text. Maximum 25 characters.

{
  "meta": {
    "timestamp": 1707177081141,
    "transactionId": "395b2ac9-1046"
  },
  "errors": {
    "reason": "error Meta template",
    "details": {}
  },
  "data": {
    "wabaId": 11234567232528,
    "name": "elipackage_authentication",
    "category": "AUTHENTICATION",
    "templateLanguages": [
      {
        "id": "37587656784131",
        "language": "en",
        "components": [
          {
            "type": "BODY",
            "securityRecomendation": true
          },
          {
            "type": "FOOTER",
            "expirationMinutes": 15
          },
          {
            "type": "BUTTONS",
            "buttons": [
              {
                "type": "OTP",
                "otp_type": "COPY_CODE",
                "text": "Copy Code"
              }
            ]
          }
        ]
      }
    ]
  }
}
  1. Copy the request body and paste it in your terminal command.
  2. Press Enter key
  3. From the response body, copy the unique identifier of the WhatsApp authentication template (“data.templateLanguages.id”) parameter.

📘

NOTE

Upon the creation of the authentication template, META approval is required.

Create a Code Generator

Once the WhatsApp Authentication Template has been created and approved by META, the next step is to create the code generator.

Code Generator is a security feature for your Application used with two-factor authentication. You can add an authentication factor linked to a channel (WhatsApp). When a user signs up or logs into your application a numeric code is sent to their mobile device either via WhatsApp. For this reason, the second step is to create the code generator and configure the code that will be sent to the end user.

When you create a Code Generator for WhatsApp, the request body contains the following data:

HTTP Request: POST /v1/2fa

curl -X 'POST' \
  'https://elastic.messangi.me/eyriesgate/v1/2fa' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <YOUR_API_KEY>' \
  -H 'Content-Type: application/json' \
  -d '{
  "codeLength": 6,
  "expirationMinutes": 15,
  "channels": [
    {
      "type": "WHATSAPP",
      "address": "584111111111",
      "templateId": "3752812345987345",
      "placeholder": "code"
    }
  ]
}'

Request Body Parameters

Parameter Required Description
codeLength Yes

Security code length.

The security codes used for two-factor authentication are a minimum of 6 digits.

expirationMinutes Yes

Security code expiration time in minutes.

channels Yes

Contains the information of the channels to be used for the code delivery. Only ONE channel can be chosen when generating a code.

channels.type Yes

Define the channel from where the code will be sent.

Currently supports independent channels for 2FA: “SMS”, “EMAIL”, “WHATSAPP”.

For this example we set the “WHATSAPP” type.

channels.address Yes

Phone number of the sender.

Phone number provided during the WABA account setup will be used as the sender of the notification message.

Only accepts numeric characters. Do not include the "+" sign.> type.

channels.templateId Yes

Unique identifier of the WhatsApp Authentication Template.

channels.placeholder Yes

The Body message (defined by META) contains a placeholder (“code”)which then will be replaced by the code generated.

{
  "meta": {
    "timestamp": 1707180413315,
    "transactionId": "a6a16b0a-b830"
  },
  "data": {
    "id": 250,
    "codeLength": 6,
    "expirationMinutes": 15,
    "channels": [
      {
        "placeholder": "code",
        "address": "584111111111",
        "templateId": "3752812345987345",
        "type": "WHATSAPP"
      }
    ]
  }
}
  1. Copy the request body and paste it in your terminal command.
  2. Press Enter key
  3. From the response body, copy the unique identifier of the code generator (“data.id”) parameter.

Send Verification Code

Once the code generator has been created, the next step is to send the verification code to the end user.

HTTP Request: POST /v1/2fa/{id}/codes

In this API call you need to provide the unique identifier (“data.id”) of the code generator previously created.

curl -X 'POST' \
  'https://elastic.messangi.me/eyriesgate/v1/2fa/<CODE_GENERATOR_ID>/codes' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <YOUR_API_KEY>' \
  -H 'Content-Type: application/json' \
  -d '{
  "channel": "WHATSAPP",
  "receiver": "+525500000000"
}'

Request Body Parameters

Parameter Required Description
channel Yes

Define the channel from where the code will be sent.

Currently supports independent channels for 2FA: “SMS”, “EMAIL”, “WHATSAPP”.

For this example we set the “WHATSAPP” channel.

receiver Yes

Determines the destination phone number for your authentication template and verification code.

Numbers are specified in E.164 format → (‘+’ and a country code).

{
  "meta": {
    "timestamp": 1707183277726,
    "transactionId": "7942859d-45d2"
  },
  "data": {
    "requestId": "c12345616-fee2-f345hgf-fgh123"
  }
}
  1. Copy the request body and paste it in your terminal command.
  2. Press Enter key.
  3. From the response body, copy the unique identifier of the two factor authentication request (“data.requestId”) parameter.

Validate Verification Code

Once the code has been generated and sent to the user via WhatsApp, you proceed to validate the user.

When the user enters the security code to your application, you can carry out the following actions :

  • Verify the security code to validate the user.
  • Cancel the security code.
  • Check the Status of the security code.

In this example, we'll solely verify the security code.

HTTP Request: PATCH /v1/2fa/{id}/codes

In this API call you need to provide the unique identifier (“data.id”) of the code generator and the unique identifier (“data.requestId”) of the request previously created.

Prior to validating the user, it's necessary to initially verify the status of the verification code.

curl -X 'PATCH' \
  'https://elastic.messangi.me/eyriesgate/v1/2fa/<CODE_GENERATOR_ID>/codes' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <YOUR_API_KEY>' \
  -H 'Content-Type: application/json' \
  -d '{
  "action": "status",
  "requestId": "<REQUEST_ID>"
}'

Request Body Parameters

Parameter Required Description
action Yes

Apply one the following actions to the verification code:

  • "status": know the status of the verification code.

  • "verify": verify the verification code to validate the user.

  • "cancel":cancel the verification code.

For this example, we set the “status” parameter.

requestId Yes

Unique identifier of the two factor authentication request. That is, this is the ID of the verification code that has to be verified.

{
  "meta": {
    "timestamp": 1707243156412,
    "transactionId": "6ae15fa5-1e97"
  },
  "data": {
    "id": 534,
    "userID": "+525500000000",
    "token": "151820",
    "requestID": "c12345616-fee2-f345hgf-fgh123",
    "expirationDate": "2024-02-06T01:44:37.020949",
    "validationDate": null,
    "validationChannel": "WHATSAPP",
    "status": "PENDING"
  }
}

Response Body Parameters

Parameter Description
data

Unique identifier of the status API call.

data.userID

Destination phone number for your authentication template and verification code.

Numbers are specified in E.164 format → (‘+’ and a country code).

data.token

Verification code that was sent to the end user.

data.expirationDate

data.validationDate

Date on which the verification code has been valid.

data.validationChannel

Channel from where the verification code was sent.

data.status

Status of the verification code.

  • "VALIDATED": The verification code has been confirmed as valid.

  • "PENDING": The verification code has not been confirmed as valid yet.

  • "EXPIRED":The verification code has expired.

  1. Copy the request body and paste it in your terminal command.
  2. Press Enter key.
  3. From the response body, copy the verification code (“data.token”) parameter.

Because the verification code is in “PENDING” status, we proceed to validate the code.

📘

NOTE

In this API Call, the user needs to enter their verification code to valid the code.

We acquired that code from the previous request to provide you with a clearer understanding of its status and validation.

curl -X 'PATCH' \
  'https://elastic.messangi.me/eyriesgate/v1/2fa/<CODE_GENERATOR_ID>/codes' \
  -H 'accept: application/json' \
  -H 'Authorization: Bearer <YOUR_API_KEY>' \
  -H 'Content-Type: application/json' \
  -d '{
  "action": "verify",
  "requestId": "c12345616-fee2-f345hgf-fgh123",
  "code": "151820"
}'

Request Body Parameters

Parameter Required Description
action Yes

Apply one the following actions to the verification code:

  • "status": know the status of the verification code.

  • "verify": verify the verification code to validate the user.

  • "cancel":cancel the verification code.

For this example, we set the “verify” parameter.

requestId Yes

Unique identifier of the two factor authentication request. That is, this is the ID of the verification code that has to be verified.

code Yes

Verification code that has to be verified.

{
  "meta": {
    "timestamp": 1707252519688,
    "transactionId": "424cd21f-a190",
    "explain": "valid code"
  }
}

Response Body Parameters

Parameter Description
explain

Valid verification code.

“valid code”: the verification code entered is valid.