How to Add Two-Factor Authentication with Node.js and Express

Two-factor authentication refers to a pattern of users needing both something they know, like a password, and something they have, like a verification token from a mobile device.
This tutorial will cover how to implement a verification token system with the Vonage Verify API and Express.js. We have a similar Node.js tutorial using Koa — you can find it here.
The application will have three pages — an initial page that asks for a mobile number, a page where users provide the code sent to them, and finally, a page which they’ll see if their code was correct and the verification successful.
The finished code example is available at https://github.com/nexmo-community/verify-node-express
Prerequisites
- Node.js installed on your machine
- A Vonage API account — take note of your API Key & Secret on the dashboard
Vonage API Account
To complete this tutorial, you will need a Vonage API account. If you don’t have one already, you can sign up today and start building with free credit. Once you have an account, you can find your API Key and API Secret at the top of the Vonage API Dashboard.
Set Up
Create an index.js
file and set up the dependencies:
Create the Landing Page
Create a directory called views
and an index.html
file inside of it with the following content:
Create a route in index.js
to render this view:
Create a Verification Request
The form on index.html
will send a POST request to /verify
when submitted. Create a new route to handle this in index.js
:
By default, workflow 1 is used, which sends an SMS, then calls to read out a code, and then another call. The final step will wait 5 minutes before the whole request expires. You can pass workflow_id
as an option if you want to change this behavior.
Check the Code
Create check.html
in the views
directory:
As well as the code, the request ID is required to check if the code is correct. Using the same method as {{message}}
, the value of the hidden field requestId
is provided dynamically.
Like before, this will submit a POST request to the /check
endpoint as this is provided in the action
attribute.
Create a new endpoint in index.js
:
If the returned status
is 0, the check has been successful and the verification is complete. Create a success.html
file in the views
folder to celebrate:
What Next?
Congratulations on implementing 2FA. Hopefully, you’ll agree that it was an enjoyable experience.
In production, there are some additional considerations you’ll want to factor in:
- More robust handling of errors and non-zero status codes.
- Providing the ability to cancel ongoing verifications.
- Allowing users to indicate their preference between SMS and call-based code delivery.
- Use the Vonage Number Insight API to ensure only valid phone numbers are passed to the Verify API.
You can find the final project at https://github.com/nexmo-community/verify-node-express
As ever, if you need any support feel free to reach out in the Vonage Developer Community Slack. We hope to see you there.