Implement 2FA using the Vonage Verify API to send SMS OTPs after successful password login. This enhances security by adding "something you have" (your phone) to the authentication process, protecting against unauthorized access.

RedwoodJS is the full-stack JavaScript framework used to build the web application. It provides structure, conventions, and tools like GraphQL and Prisma, which simplify development.

The Vonage Verify API handles sending SMS OTPs and verifying user-entered codes, simplifying the implementation of two-factor authentication.

Add OTP verification when enhanced security is crucial, such as protecting sensitive user data or financial transactions. This guide provides a robust implementation using the Vonage Verify API after password login.

Yes, the Vonage Verify API allows customization of options like `code_length` (default is 4) and `pin_expiry` (default is 300 seconds) when initiating the verification request.

Modify the `User` model in `api/db/schema.prisma` to include a `phoneNumber` field, preferably using the E.164 format for international compatibility, along with fields for `otpRequestId`, `otpVerifiedAt`, and `otpRequired`.

The Vonage brand name, set in the `.env` file as `VONAGE_BRAND_NAME`, appears in the SMS message sent to the user for OTP verification. Keep it short and recognizable.

Store your `VONAGE_API_KEY` and `VONAGE_API_SECRET` in a `.env` file at your project's root. RedwoodJS loads these into `process.env`. Never commit this file to version control.

The RedwoodJS API side uses the `@vonage/server-sdk` to communicate with the Vonage Verify API for sending and verifying OTPs. The web side interacts with the API side via GraphQL mutations.

You need Node.js, Yarn, the RedwoodJS CLI, a Vonage API account, and a basic understanding of RedwoodJS concepts (Cells, Services, GraphQL, `dbAuth`).

Use `try...catch` blocks to handle potential Vonage API errors. Catch known errors and re-throw them as `AuthenticationError` with clear messages. Log unexpected errors with Redwood's logger for debugging.

The Vonage brand name for Verify API v1 used in this guide is set directly within the `vonage.verify.start` method call using the `VONAGE_BRAND_NAME` environment variable and not in the Vonage dashboard.

Implement input validation, rate limiting for login attempts and OTP requests/verifications, and consider CAPTCHAs. RedwoodJS handles secure session management, but ensure your `SESSION_SECRET` is strong.

Prisma is used for database schema management, migrations, and type-safe database access. The RedwoodJS setup integrates Prisma seamlessly for interacting with the database.