DaaS / Products / Complete User Authentication with 2FA

Complete User Authentication with 2FA

Configure IDaaS as the central authentication platform for social logins and SSO, then integrate Twilio Verify API to deliver SMS-based two-factor authentication for enhanced security.

Products involved

Scenario

Use this workflow when you need Alibaba Cloud IDaaS to centralize social logins and enterprise SSO, but require carrier-grade SMS two-factor authentication that exceeds native IDaaS capabilities. By routing IDaaS authentication events to Twilio Verify via a custom webhook, you maintain a unified identity directory while leveraging Twilio’s global SMS delivery and fraud protection.

Integration steps

Configure IDaaS Identity Sources: In the IDaaS console, navigate to Authentication > Identity Providers. Enable your social logins (e.g., Google, WeChat) and set the callback URL to your application.
Select 2FA Routing Path: Under Security > Authentication Policies, create a new policy. Choose the Custom Webhook routing option for secondary authentication and point it to your backend endpoint: https://your-api.example.com/idaas/2fa-trigger.
Initialize Twilio Verify Service: Run twilio api:verify:v2:services:create --friendly-name "App2FA" to generate a Service SID (e.g., VAxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx).
Trigger SMS Verification: When IDaaS calls your webhook, extract the user’s phone number. Call Twilio Verify to dispatch the OTP:

``bash curl -X POST "https://verify.twilio.com/v2/Services/VAxxx/Verifications" \ -u "ACxxx:your_auth_token" \ -d "To=+15551234567" -d "Channel=sms" ``

Validate OTP & Resume Flow: Collect the user’s 6-digit code and verify it:

``bash curl -X POST "https://verify.twilio.com/v2/Services/VAxxx/VerificationCheck" \ -u "ACxxx:your_auth_token" \ -d "To=+15551234567" -d "Code=123456" ``

Finalize IDaaS Session: If Twilio returns "status": "approved", respond to the IDaaS webhook with {"status": "success", "auth_request_id": "<original_id>"}. IDaaS completes the SSO handshake and issues the final JWT.

Architecture

IDaaS acts as the primary identity orchestrator, handling social/SSO credential validation and session state. Upon successful primary login, IDaaS pauses the flow and invokes your backend webhook. The backend bridges to Twilio Verify API, which manages OTP generation, carrier routing, and validation. Once Twilio confirms verification, the backend signals IDaaS to resume and mint the final access token.

Prerequisites

Active Alibaba Cloud IDaaS tenant with Admin privileges
Twilio account with verified Account SID and Auth Token
Provisioned Twilio Verify Service SID
Backend service capable of handling HTTPS webhooks and making outbound API calls
At least one configured social identity provider in IDaaS

Common pitfalls

Webhook Timeouts: IDaaS expects a synchronous response within 5–10 seconds. You must return a pending acknowledgment immediately and handle the async OTP verification separately.
E.164 Formatting Errors: Twilio rejects non-standard phone formats. Normalize IDaaS-provided numbers to +[country_code][number] before calling the Verify API.
Service SID Misuse: Using a standard Messaging SID instead of a Verify Service SID triggers 20003 authentication errors.
State Desync: Failing to pass IDaaS’s auth_request_id through your backend breaks the callback chain, leaving users permanently stuck on the 2FA prompt.

Typical questions

set up user authentication with 2FA
configure login with SMS verification
implement two-factor auth system
add phone verification to authentication
搭建用户认证和短信验证
配置登录双因素认证
IDaaS集成Twilio验证
complete auth system with SMS 2FA