2FA with Twilio Verify

Secure uzERP user logins with multi-factor authentication using Twilio Verify

Available Since release 1.31.0

What is Twilio Verify

Twilio Verify is a service that validates users after they have logged into uzERP with their username and password. Twilio Verify supports verification via SMS, voice, push message, etc. but uzERP only implements time-based one-time passwords (TOTP).

With TOTP, users enroll with Twilio and then use codes obtained from an app on their phone, computer or tablet. Some suitable apps are Authy and Google Authenticator.

Before configuring uzERP you will need to create an account and a Verify service with Twilio.

Configure uzERP for TOTP 2FA with Twilio

Set injector classes

  • Set the LoginHandler class to HTMLFormLoginHandlerMFA.
  • Add the MFAValidator class, if not present, and set it to TWValidator.

Add Twilio settings to the uzERP configuration file

Add the Twilio secrets to the config/.env file in uzERP:

# Example settings


Update PHP session management settings (optional)

Twilio will charge your account for each successful validation. uzERP session management can be configured with an appropriate user activity timeout and max age in seconds in the config/.env file.

The above settings should be chosen carefully to balance user convenience, security and cost based on your threat model.

# Example settings

# Let uzERP manage user session timeout and maximum age.
# If included and true, uzERP manages session age.


# If UZERP_MANAGE_USER_SESSIONS is true, the following
# variables must be set.

USER_ACTIVITY_TIMEOUT_SECS=28800 #30 Mins = 1800

User management with 2FA

The user database table includes some fields to support 2FA:

Field Name Description
uuid Unique user id, used to reference the user with the 2FA service to avoid providing any personal information.
mfa_sid Identifies the factor to be verified so that the service can select the correct secret to validate the user’s token.
mfa_enrolled The user has successfully been enrolled for 2FA.
mfa_enabled Indicates that 2FA is enabled for the account.

Verification can be disabled for the next user login from the Web UI and is automatically re-enabled once the user has been validated.

A user’s 2FA status can also be reset, which removes the mfa_sid and sets mfa_enrolled and mfa_enabled to false. The user is then required to re-enroll on their next login.

User enrollment

Once 2FA is enabled users will be required to enroll with the service using their chosen app.

When an un-enrolled user logs in with their usual username and password uzERP will obtain a new TOTP secret from Twilio and present a QR code and plaintext secret that the user can use to set-up their app. The app will then provide a code that the user must enter into uzERP for verification.

After successful verification the user will be logged in to uzERP. Once enrolled the user will need to enter a code from their app each time they login to uzERP.