Implement 2FA using the Vonage Verify API to send SMS OTPs after successful password login. This enhances security by adding "something you have" (your phone) to the authentication process, protecting against unauthorized access.

RedwoodJS is the full-stack JavaScript framework used to build the web application. It provides structure, conventions, and tools like GraphQL and Prisma, which simplify development.

The Vonage Verify API handles sending SMS OTPs and verifying user-entered codes, simplifying the implementation of two-factor authentication.

Add OTP verification when enhanced security is crucial, such as protecting sensitive user data or financial transactions. This guide provides a robust implementation using the Vonage Verify API after password login.

Yes, the Vonage Verify API allows customization of options like code_length (default is 4) and pin_expiry (default is 300 seconds) when initiating the verification request.

Modify the User model in api/db/schema.prisma to include a phoneNumber field, preferably using the E.164 format for international compatibility, along with fields for otpRequestId, otpVerifiedAt, and otpRequired.

The Vonage brand name, set in the .env file as VONAGE_BRAND_NAME, appears in the SMS message sent to the user for OTP verification. Keep it short and recognizable.

Store your VONAGE_API_KEY and VONAGE_API_SECRET in a .env file at your project's root. RedwoodJS loads these into process.env. Never commit this file to version control.

The RedwoodJS API side uses the @vonage/server-sdk to communicate with the Vonage Verify API for sending and verifying OTPs. The web side interacts with the API side via GraphQL mutations.

You need Node.js, Yarn, the RedwoodJS CLI, a Vonage API account, and a basic understanding of RedwoodJS concepts (Cells, Services, GraphQL, dbAuth).

Use try...catch blocks to handle potential Vonage API errors. Catch known errors and re-throw them as AuthenticationError with clear messages. Log unexpected errors with Redwood's logger for debugging.

The Vonage brand name for Verify API v1 used in this guide is set directly within the vonage.verify.start method call using the VONAGE_BRAND_NAME environment variable and not in the Vonage dashboard.

Implement input validation, rate limiting for login attempts and OTP requests/verifications, and consider CAPTCHAs. RedwoodJS handles secure session management, but ensure your SESSION_SECRET is strong.

Prisma is used for database schema management, migrations, and type-safe database access. The RedwoodJS setup integrates Prisma seamlessly for interacting with the database.