0

Is there some way to get an OTP by API? I have an API that requires 2fa. Of course is is possible to turn it off, but I'd really much rather not to.

Steve Vinoski
  • 19,847
  • 3
  • 31
  • 46
Oleg Belousov
  • 9,981
  • 14
  • 72
  • 127

1 Answers1

1

I can help you out with this. FYI, I work with Authy. Is your intention to get an OTP code and subsequently verify the code automatically? Just out of curiosity, are you doing this for integration testing?

You could approach this with Authy by:

  1. Purchasing a Twilio VOIP number
  2. Setting the SMS webhook of the Twilio VOIP number to an API endpoint
  3. Requesting a Phone Verification or Authy 2FA OTP token to that number (NOTE: if you're requesting an Authy OneCode OTP, you will first have to register the number with Authy)
  4. At this point, the OTP will be delivered to your API endpoint via the SMS webhook
  5. Parse the OTP and verify the Phone Verification of Authy 2FA token.

If you are approaching this for testing, you can see a testing-sample app for both Phone Verification and Authy OneCode on Github.

Additional sample API calls are also available on Github.

Regards,

Josh @ Authy

Authy Solutions Architect
  • 111
  • 3
  • 1
    Testing and production, thanks for the solution, it simply slipped my mind that this is possible though I am familiar with both solutions. – Oleg Belousov Feb 02 '17 at 10:28
  • Would it be possible to get a SoftToken via SMS or the API somehow? I am making quit a lot of API requests im production and disabling OTP is not an option. – Oleg Belousov Feb 03 '17 at 07:42
  • A "SoftToken" is a OneCode. Same algorithm, different delivery mechanism. You should be able to use the steps outlined above to get a OneCode via a Twilio VOIP SMS callback. – Authy Solutions Architect Feb 03 '17 at 17:48
  • Hi, I am not sure how to accomplish count #3 of your explanation. I have installed the app on my phone and created my account, however the SMS is sent to my personal number and there is no way to change it. Moreover, it does not seem, that the service provider allows to request and OTP by API. – Oleg Belousov Feb 06 '17 at 11:41
  • Hi Oleg. When you initially setup they Authy app it sounds like you used your personal phone number during user registration. I'd suggest using this user-registration API call with your Twilio VOIP number. https://github.com/AuthySE/Authy-API-Samples/blob/master/userRegistration.sh This command will return a unique Authy ID for that VOIP number. You'll need to check the SMS queue in the Twilio Console for the OTP during registration. All subsequent Authy SMS or Voice calls will go to this number. You can then setup the callbacks in the Twilio console for your testing. – Authy Solutions Architect Feb 13 '17 at 18:21