Add two factor authentication to a Microsoft bot with Nexmo’s Verify API

Published July 11, 2018 by Rabeb Othmani

2FA (Two Factor Authentication) is increasingly used to increase security within applications.
As bots become increasingly popular, developers will need to consider how to integrate 2FA with their bots
In this demo, we will see how to use the Nexmo Verify API with Microsoft Bot Framework.

Prerequisites

In this post, we won’t go through the details of creating a bot.
We are assuming that you know how to setup Visual Studio to create bot projects.
If you are not familiar with Microsoft Bot framework, you can visit the documentation page here.

The Bot Builder SDK for .NET currently supports C#. Visual Studio for Mac is not supported. You will need a Windows machine to be able to run this demo.

To set up 2FA, we are using Nexmo Verify API and the Nexmo C# Client Library

How does it work?

In our scenario, we are going to add two-factor authentication to a bot on sign-up.
As a first time user, you are required to provide a little bit of information to complete your profile like your name and phone number.

Then, the bot will try to verify that phone number by sending a PIN using the Nexmo Verify API.
The next step is to collect the PIN and check it.

Setting up the bot project

The first thing to do in order to set up 2FA with a bot, is to create a bot. It makes sense, doesn’t it?
In Visual Studio, create a new project of the type “Bot Application”: File–> New–> Project–> Bot application

Using Nexmo with the bot

Using Nexmo APIs with a Bot Application is no different from using the APIs with any other .Net Project.
install the Nexmo C# Client Library via the NuGet Package Manager Console.

Creating the profile form

In order to verify the user’s phone number on sign up, we are going to collect a little bit of information for building a user’s profile.

With the Microsoft Bot Framework, there are few ways to manage the conversation flow and build dialogs. In this case, we are going to use FormFlow as it simplifies the process of managing a guided conversation like ours.

Add a ‘UserProfile’ class to the project, this class defines the form. The class includes some properties to help us build the profile and a ‘BuildForm()’ method that uses ‘FormBuilder’ to create the form and define a simple welcome message.

Make sure to import the namespace FormFlow to be able to use FormFlow.

Using the form

Now that we have a profile form, we need to connect it to the framework to be able to actually use it. This is done by adding it to the controller ‘MessagesController.cs’ via ‘MakeRootDialog()’ method.

‘MakeRootDialog()’ in return calls ‘FormDialog.FromForm’ method to create the user profile form.
Once the user profile is completed, the bot will proceed to sending a verification code to the phone number provided by the user.

For the sake of clarity, we are grouping the methods related to verification (i.e., for sending and checking) in a helper class called ‘VerifyHelper.cs’.

‘MakeRootDialog()’ is called by the Conversation.SendAsync()’ method.

Now that the code is sent, the next step is to verify it once the user provides it to the bot.

This is done via the ‘CheckVerificationCode’ method in ‘VerifyHelper.cs’.

As you can see, this method returns a string because we want to use that string to communicate with the user via the bot. the other thing to note here is ‘RequestId’. This is the identifier of the verify request to check. When we send the verification code, we simply stored this identifier.

Now let’s go back to the bot, we mentioned that we are creating the form in ‘MessageController.cs’. That is because the ‘Post’ method within ‘MessageController.cs’ is responsible for receiving any message from the user and invokes the root dialog.

So when the user types in the verification code, the bot will still intercept that message in the post method just like the user profile information. Therefore, we need a way to tell the bot what right action to do next.
If you look closely at the BuildForm method in ‘UserProfile.cs’, you’d notice that we are setting a bool ProfileComplete to true on completion.

So what happens is everytime the user types something, we will check to see if ProfileComplete is set to true or not.
If the profile is complete then the assumption is that the user has entered the verification code and we proceed to check if that code is valid; if not we keep filling the profile in the root dialog.

In a nutshell

The aim of this demo is to walk you through how to add 2FA to your Microsoft Bot applications using Nexmo Verify API on sign up.

We have created a user profile form then send a verification code to the phone number provided by the user.
Once the user enters the code sent to them, we will verify it.
Watch out our blog to see more samples and scenarios on how to use the Nexmo APIs with Microsoft Bot Framework.

Leave a Reply

Your email address will not be published.