SMS
SMS (Short Message Service) authentication adds an extra layer of security to your Strapi CMS by sending a one-time password (OTP) directly to your mobile device. With SMS authentication, only someone with access to your phone can complete the login process.
Why SMS is a Reliable MFA Methodβ
SMS-based MFA provides an easy-to-use security option for users who may not want to use authenticator apps. Since SMS works on virtually any mobile phone, it ensures accessibility without requiring additional installations. While TOTP offers higher security, SMS is an effective backup or alternative MFA method, especially for non-technical users.
Note: While SMS is convenient, it is more susceptible to security risks like SIM-swapping attacks or interception. Think carefully before turning on your SMS method since it will impact your overall security score and it might make your system less secure.
Prerequisitesβ
Before enabling SMS authentication in HeadLockr, ensure you meet the following requirements:
-
Valid Twilio Account:
- You must have an active Twilio account. If you donβt have one, you can create it here.
-
Twilio API Key with Send Permissions:
- Generate a Twilio API key with at least
Sendpermissions by following the official Twilio guide on creating an API key.
- Generate a Twilio API key with at least
-
Correct Configuration and environment variables:
- Ensure that the Twilio account SID, API key SID, API key secret and assigned twilio phone number details are correctly configured in the HeadLockr settings to enable SMS delivery. By default the environment variables:
TWILIO_ACCOUNT_SID,TWILIO_API_KEY_SID,TWILIO_API_KEY_SECRET,TWILIO_PHONE_NUMBERare known in the system.
- Ensure that the Twilio account SID, API key SID, API key secret and assigned twilio phone number details are correctly configured in the HeadLockr settings to enable SMS delivery. By default the environment variables:
By completing these steps, you'll be ready to enable SMS authentication securely into your Strapi CMS using HeadLockr.
Setup SMS Authenticationβ
Follow these steps to configure SMS authentication after you've followed the prerequisites section above:
- Navigate to the SMS section in the HeadLockr UI.
- Verify your identity by entering your Strapi admin password.
- You might be challenged with a MFA challenge depending on your active MFA methods.
- When there is no verified phone number found you need to follow the link in the alert box.
- On the settings page on the top left corner you can verify, change or delete your existing phone number
- Step 2 & 3 will repeat for this flow as well.
- Enter your phone number in the provided field.
- A one-time password (OTP) will be sent to your mobile device via SMS.
- Enter the OTP into the designated field in the UI to verify your phone number.
- Navigate back to the SMS section to complete the sms registration after you've succesfully registered your phone number
Congratulations! π Your SMS authentication method is now active and ready to protect your account.
Best Practices for SMS Authenticationβ
- Keep Your Phone Secure: Ensure your mobile device is password-protected and not accessible to others.
- Avoid Sharing OTPs: Never share your one-time password with anyone, even if they claim to be from your organization.
- Update Your Phone Number: If your phone number changes, update it in the HeadLockr UI immediately to avoid losing access.
With SMS authentication, HeadLockr combines convenience and security, providing an additional layer of protection for your Strapi CMS. Always stay vigilant and secure your mobile device for maximum safety.