- About
- Dependencies
- Requirements
- Documentation
- Installation
- Usage
- Running the Sample app
- Running the sample backend
- Using the sample app
- Logging
- Errors
- Update factor's push token
- Delete a factor
- Clear local storage
- Reinstall and persist factors
- Notification Extension
- Contributing
- License
Twilio Verify Push SDK helps you verify users by adding a low-friction, secure, cost-effective, "push verification" factor into your own mobile application. This fully managed API service allows you to seamlessly verify users in-app via a secure channel, without the risks, hassles or costs of One-Time Passcodes (OTPs). This project provides an SDK to implement Verify Push for your iOS app.
None
- iOS 10+
- Swift 5.2
- Xcode 13.x
CocoaPods is a dependency manager for Cocoa projects. For usage and installation instructions, visit their website. To integrate TwilioVerify into your Xcode project using CocoaPods, specify it in your Podfile
:
pod 'TwilioVerify', '~> 2.2.2'
Carthage is a decentralized dependency manager that builds your dependencies and provides you with binary frameworks. To integrate TwilioVerify into your Xcode project using Carthage, specify it in your Cartfile
:
github "twilio/twilio-verify-ios" -> 2.2.2
Since version 2.2.2
of TwilioVerifySDK
the prebuilt asset fat version .framework
is been deprecated, to give space for the universal framework .xcframework
. Make sure to use the new version of Carthage 0.38.0 that was release in order to support the xcframework
assets, by using this version or a superior one, Carthage will download and unzip the TwilioVerifySDK.framework.zip
attached in the release version, resulting in a TwilioVerifySDK.xcframework
that can be found in the build folder of Carthage.
The Swift Package Manager is a tool for automating the distribution of Swift code and is integrated into the swift
compiler. It is in early development, but TwilioVerify does support its use on iOS.
Once you have your Swift package set up, adding TwilioVerify as a dependency is as easy as adding it to the dependencies
value of your Package.swift
.
dependencies: [
.package(url: "https://github.com/twilio/twilio-verify-ios.git", .upToNextMajor(from: "2.2.2"))
]
If you want to receive challenges as push notifications, you should register Your App with APNs. More info here
NOTE
The SDK should be used from a Swift class. See an example in the TwilioVerifyAdapter class
Since version 2.2.2
, the target was changed from TwilioVerify
to TwilioVerifySDK
. Migrating from older versions will imply to update all the imports in your files, see an example in the TwilioVerifyAdapter class
See Verify Push Quickstart for a step-by-step guide to using this SDK in a basic Verify Push implementation.
- Clone the repo
- Change the Bundle Identifier to something unique so Apple’s push notification server can direct pushes to this app
- Enable push notifications
- Get the Access token generation URL from your backend (Running the Sample backend). You will use it for creating a factor
- Run the
TwilioVerifyDemo
project usingRelease
as build configuration
You can silently approve challenges when your app already knows that the user is trying to complete an action (actively logging in, making a transaction, etc.) on the same device as the registered device that is being challenged.
You can enable the option "Silently approve challenges" for a factor. After enabling it, every challenge received as a push notification when the app is in foreground for that factor will be silently approved, so user interaction is not required. The option will be saved for the session, so the selection will not be persisted.
- Configure a Push Credential for the sample app, using the same APNs configuration
- Configure a Verify Service, using the Push Credential for the sample app
- Go to: https://www.twilio.com/code-exchange/verify-push-backend
- Use the
Quick Deploy to Twilio
option- You should log in to your Twilio account
- Enter the Verify Service Sid you created above, you can find it here
- Deploy the application
- Press
Go to live application
- You will see the start page. Copy the url and replace
index.html
withaccess-token
.(e.g. https://verify-push-backend-xxxxx.twil.io/access-token). This will be yourAccess Token generation URL
- Press Create factor in the factor list (click on the +, top right)
- Enter the identity to use. This value should be an UUID that identifies the user to prevent PII information use
- Enter the Access token URL (Access token generation URL, including the path, e.g. https://verify-push-backend-xxxxx.twil.io/access-token)
- Press Create factor
- Copy the factor Sid
- Go to Create Push Challenge page (/challenge path in your sample backend)
- Enter the
identity
you used in factor creation - Enter the
Factor Sid
you added - Enter a
message
. You will see the message in the push notification and in the challenge view - Enter details to the challenge. You will see them in the challenge view. You can add more details using the
Add more Details
button - Press
Create challenge
button - You will receive a push notification showing the challenge message in your device.
- The app will show the challenge info below the factor information, in a
Challenge
section - Approve or deny the challenge
- After the challenge is updated, you will see the challenge status in the backend's
Create Push Challenge
view
By default, logging is disabled. To enable it you can either set your own logging services by implementing LoggerService and calling addLoggingService
(note that you can add as many logging services as you like) or enable the default logger service by calling enableDefaultLoggingService
. Your multiple implementations and the default one can work at the same time, but you may just want to have it enabled during the development process, it's risky to have it turned on when releasing your app.
You may want to log only certain processes that are happening in the SDK, or you just want to log it all, for that the SDK allows you to set a log level.
- error: reports behaviors that shouldn't be happening.
- info: warns specific information of what is being done.
- debug: detailed information.
- networking: specific data for the networking work, such as request body, headers, response code, response body.
- all: error, info, debug and networking are enabled.
To start logging, enable the default logging service or/and pass your custom implementations
var builder = TwilioVerifyBuilder()
#if DEBUG
builder = builder.enableDefaultLoggingService(withLevel: .all)
.addLoggingService(MyOwnLoggerService1())
.addLoggingService(MyOwnLoggerService2())
#endif
twilioVerify = try builder.build()
Types | Code | Description |
---|---|---|
Network | 60401 | Exception while calling the API |
Mapping | 60402 | Exception while mapping an entity |
Storage | 60403 | Exception while storing/loading an entity |
Input | 60404 | Exception while loading input |
Key Storage | 60405 | Exception while storing/loading key pairs |
Initialization | 60406 | Exception while initializing an object |
Authentication Token | 60407 | Exception while generating token |
You can control Verify API error codes listed here by following the next example:
twilioVerify.createFactor(withPayload: payload, success: { factor in
// Success
}) { error in
let apiError = error.originalError as? NetworkError
if case let .failureStatusCode(response) = apiError {
// Gets Verify API error response
var errorResponse = response
if let code = errorResponse.apiError?.code,
let message = errorResponse.apiError?.message {
print("Code: \(code) - \(message)")
}
}
}
Check an example here
You can get the cause for an error accesing the associated error
twilioVerify.updateChallenge(withPayload: payload, success: {
// Success
},failure: { error in
if case .inputError(let detail) = error, let inputError = detail as? InputError {
switch inputError {
// Handle other cases here, in this example expired challenge case
case .expiredChallenge: return
default: return
}
}
})
You can find the associated errors for validations here
For extra detail, check specific internal operations errors here
You can update the factor's push token in case it changed, calling the TwilioVerify.updateFactor
method:
let updateFactorPayload = UpdatePushFactorPayload(sid: factorSid, pushToken: newPushToken)
twilioVerify.updateFactor(withPayload: payload, success: { factor in
// Success
}) { error in
// Error
}
See FactorListPresenter in the sample app. You should update the push token for all factors.
You can delete a factor calling the TwilioVerify.deleteFactor
method:
twilioVerify.deleteFactor(withSid: factorSid, success: {
// Success
}) { error in
// Error
}
You can clear the local storage calling the TwilioVerify.clearLocalStorage
method:
do {
try twilioVerify.clearLocalStorage()
} catch {
// Handle error
}
- Calling this method will not delete factors in Verify Push API, so you need to delete them from your backend to prevent invalid/deleted factors when getting factors for an identity.
- Since the Keychain is used for storage this method can fail if there is an error while doing the Keychain operation.
By default, the created factors and key pairs will not persist in the device after the app is uninstalled and reinstalled for security reasons. However, it's possible to change this default behavior and persist the factors and key pairs after a reinstall, because both are saved in the keychain.
NOTE This may change in future iOS versions, but it will keep working for iOS 15 and below. Preserving keychain items on app uninstall could be a security concern. You should not rely on this behaviour and provide an alternative way to enroll the factor again if this behaviour changes.
To persist factors after a reinstall, use TwilioVerifyBuilder.setClearStorageOnReinstall
method when creating the TwilioVerify
instance. The default value is true
, so the factors will be deleted on reinstall. Change it to false
to persist the factor(s)
let builder = TwilioVerifyBuilder().setClearStorageOnReinstall(false)
let twilioVerify = try builder.build()
The push token will change after the reinstall. Update the push token to receive push notifications for challenges, as is explained in Update factor's push token
The SDK is using kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly to save factors and keypairs. According to Apple,
Items with this attribute do not migrate to a new device. Thus, after restoring from a backup of a different device, these items will not be present.
The Notification Extension is an App Extension that allows developers to modify or process the content of a remote notification before it is delivered to the user.
Follow Apple's Modifying Content in Newly Delivered Notifications guide to create a Notification Extension.
To be able to use the Verify SDK in Notification Extensions, it is necessary to use App Groups, this will allow the App Extension to be able to read the KeyChain storage from the application. Otherwise, the SDK will not be able to read any of the stored Factors or Challenges in the Notification Extension.
let builder = TwilioVerifyBuilder()
let twilioVerify = try builder.setAccessGroup("group.com.example.AppSuite").build()
Use the setAccessGroup method to set up the app group used for keychain access.
Take into consideration that the Notification Extension only lives for a period of time of approximately 30 seconds, so if by some reason the App Extension does not process the remote notification content before that period expires, it will display the original content instead.
See the Notification Extension branch to check the example of an implementation using the Notification Extension & the SDK in the VerifyDemoApp.
Sharing Factors using App Groups
While setting up the setAccessGroup configuration for the first time, the factors data will migrate to use the kSecAttrAccessGroup Keychain's attribute. If the migration fails, error logs will be sent instead of throwing an error during initialization, the data will remain available for the main application but may not be available for App Extensions.
Stop Sharing Factors from App Groups
By removing the App Group from the setAccessGroup configuration, new factors will not be shared via the Keychain app groups.
let builder = TwilioVerifyBuilder()
let twilioVerify = try builder.build()
To stop sharing existing factors created with App Groups, uncheck the App Group from the App/App Extension configuration in Xcode, as follow:
App/App Extension -> App Groups -> Uncheck App Group
This will restrict access to the factors and will not affect the main application in which the data was initially created.
This document serves as the Privacy Manifest for the Twilio Verify SDK. It outlines the privacy practices implemented in this SDK, providing a comprehensive understanding of how we handle data and respect user privacy.
The primary purpose of this Privacy Manifest is to facilitate developers and organizations in providing Apple with detailed information about the privacy practices employed within this SDK.
To use this Privacy Manifest, simply refer to the relevant sections when you need to provide information to Apple or any other interested parties about the privacy practices used in this SDK.
This project welcomes contributions. Please check out our Contributing guide to learn more on how to get started.