0

I'm working on implementing MFA in my pet-project. As I understand from Twilio Verify docs (https://www.twilio.com/docs/verify/api/rate-limits-and-timeouts#code-validity-period) it has some limitations: the code is valid for 10 minutes and I can only send 5 messages in this 10 minute time span (https://www.twilio.com/docs/api/errors/60203). Also, I found a way to avoid this restriction by updating verification status to "cancelled". The code in C# looks like this:

static async Task TestingTwilioLimitations()
        {
            VerificationResource verification = null;
            for (int i = 0; i < 3; i++)
            {
                verification = await VerificationResource.CreateAsync(
                    to: "phone number",
                    channel: "sms",
                    pathServiceSid: serviceSid
                );
                Thread.Sleep(TimeSpan.FromSeconds(10));
            }
            await VerificationResource.UpdateAsync(new UpdateVerificationOptions(serviceSid, verification.Sid, VerificationResource.StatusEnum.Canceled));
            for (int i = 0; i < 3; i++)
            {
                verification = await VerificationResource.CreateAsync(
                    to: "phone number",
                    channel: "sms",
                    pathServiceSid: serviceSid
                );
                Thread.Sleep(TimeSpan.FromSeconds(10));
            }
        }

This code allows me to receive 6 messages with codes, despite the limitations of 10 minutes and 5 attempts to send the code. So, the question is, can I use this trick? It allows to spam people (I'm not going to do that, just wanted to be able to configure max send attempts and code validation time from my side), and I'm afraid of being banned by Twilio Verify for using this API calls.

Qserta
  • 1
  • 1

1 Answers1

1

This blog may help you.

How to test Twilio Verify without getting rate limited

Otherwise, no way to change the behavior.

Alan
  • 10,465
  • 2
  • 8
  • 9
  • Thanks for the reply. My question was not about how to avoid these limitations. I just wanted to know if I can use the described flow, where I manually cancel the verification checks, for MFA authentication. I just found the phrase "For testing you can manually cancel the verification by calling the Verification Update endpoint." here ( https://www.twilio.com/docs/api/errors/60203 ) and I wanted to know why this is just for testing. – Qserta Apr 12 '21 at 11:11
  • That is how the API end-point is designed. You can email Twilio support about the rationale behind the bolded text on the page, https://www.twilio.com/docs/api/errors/60203. – Alan Apr 12 '21 at 11:41