Skip to Main Content

Multifactor Authentication with SMS OTP on WSO2 Identity Server

In this article, we will discuss how WSO2 Identity Server (IS) can reinforce the security of access to applications by including a second authentication step. We’ll also explain how to enable and configure multifactor authentication using SMS OTP.

¿What is OTP (One Time Password)?

A one-time password (OTP) is a password designed to be used only once or which is only valid for a short period of time.

In this process, the person’s cell phone is used to verify their identity. It is assumed that only the owner will have access to the cell phone to which the password is sent.

This system is commonly used for banking operations, registration on digital platforms, password recovery, etc.

Pre-requisites for the SMS OTP authentication

  1. Download the latest version of WSO2 IS, which can be obtained through the following link to Identity Server – On-Premise and in the Cloud.
  2. To send an SMS we will use Vonage as an SMS provider. For this to work an account has to be created through the following link  Vonage API Dashboard.
  3. Once the Vonage account has been created, obtain the API Key and the API Secret as they will be used to configure our Identity Provider.

Vonage API Dashboard

Creating a User

The steps to follow when creating a user are explained in his section:

1.Login to the WSO2 administration console using the following URL: https://localhost:9443/carbon

creaicón usuario

2. In the next window click on the Add New User option:

Add new user

3. Then, complete the data of the user that we are going to create. As an example, the demo user will be created, to continue click on the Next button.


4. In the next window, select a role with login permissions. To conclude the creation of the user click on the Finish button:


5. Then, update the user profile, including a valid cell phone number.


Configure the identity provider

To configure the identity provider the following steps must be followed.

1.In the Home menu under Identity Provider, click on the Add option.


2. In the next window, in the Basic Information section, insert the following information:





Identity Provider Name SMSOTP
Alias https://localhost:9443/oauth2/token

Basic Information

3. In the SMS OTP Configuration section insert the following data:





Enable Activate checkbox
SMS URL<ENTER_API_KEY>&api_secret=<ENTER_API_SECRET>&from=NEXMO&to=$ctx.num&text=$ctx.msg

Configure Service Provider

For this example, the service provider User Portal will be used, and these steps will be followed:

  1. In the administration console, click on the Service Providers option.

Add list

  1. Now, edit the service provider User Portal. This will be done by clicking on the Edit button.

Service Providers

  1. Then, click on the Advanced Configuration option.

Local & Outbound

  1. In the next window, click on the Add Authentication Step button. In Step 2, select the SMSOTP option from the list and click on Add Authenticator.

Advanced Authentication Configuration for User Portal

Test the configuration

To test out the configurations just created in the previous sections, follow the steps below:

  1. Go to the following URL: https://localhost:9443/user-portal
  2. Then, insert the credentials of our demo user that we created in WSO2 Identity Server.


  1. Once the credentials have been entered, the next window will ask you to enter the OTP that we will have received by text message to our cell phone.

Ingresar el OTP

Authenticating with SMSOTP


  1. If the code is correct, it will allow us access to the User Portal, otherwise it will indicate that the OTP is incorrect.

OTP Correcto


As seen in this article, with WSO2 Identity Server we can reinforce the access security to our applications by including a second authentication step. In this case, this was achieved by sending an OTP via SMS. However, it is possible to send this via email, or to include a third step using a biometric fingerprint reading.

If you want to know how Chakray can help you to strengthen your access security, then contact us!