Step 1: Send OTP

The first step in Identity MFA is to send an SMS message containing a one-time passcode to a mobile number. This can be accomplished by using the Verify request.

Trulioo handles the generation of one-time passcodes (OTP). The length of the OTP and SMS language is configurable.


Reach out to our Support Team to assist you with the set-up.


A sample request to the GlobalGateway API can be found below:

POST /verifications/v1/verify HTTP/1.1
Host: <<endpoint>>
Content-Type: application/json
Authorization: Basic ACCESS_TOKEN

    "AcceptTruliooTermsAndConditions": true,
    "VerboseMode": true,
    "CallBackUrl": "",
    "ConfigurationName": "Identity Verification",
    "CountryCode": "CA",
    "DataFields": {
        "Communication": {
            "MobileNumber": "6045551234"

The Verify API for Identity MFA is called asynchronously, therefore the “CallbackUrl” field is required. The callback updates once the transaction has been completed. The callback sends information about the TransactionId, TransactionRecordId, and Status. The TransactionId is required to verify the one-time password.

Understanding Callback Status

Identity MFA will only send SMS to mobile devices. If an error or a non-supported phone type is used the callback status will immediately be set to Complete.


CallbackURL must be secure!

The CallBackUrl parameter must be a valid and secure URL. When in doubt use https over http.

The callback updates multiple times and provide intermittent updates. Refer to the table below for an explanation of each state:




GlobalGateway is waiting for the customer to send the one-time password to verify it.


Transaction is in progress.


Transaction has completed. If status progresses from WaitAsync to Complete it could be due to a number of reasons:

  1. The correct passcode was entered.
  2. The number of incorrect attempts has exceeded the threshold set.
  3. The OTP has expired.

Click here to know more on how to How to build an asynchronous call to GlobalGateway.


Devices Supported

Identity MFA sends a one-time passcode to mobile devices only.

What’s Next
Did this page help you?