If you use SMS to send codes for two-factor authentication logins or to verify ownership of a phone numbers, you need to be aware of a growing trend where wireless carriers are starting to block your traffic and thus preventing people from signing up and logging into your application. Twilio has two APIs, Verify and Authy, which can help avoid these issues because they are pre-configured to comply with carriers changing policies.
For example Canada’s approach to reduce unwanted messages is to encourage use of short codes instead of long codes. Carriers are supporting this preference through increased filtering of A2P traffic on long codes. The change in law came from the Canadian Radio-television and Telecommunications Commission (CRTC) which, in 2017, started enforcing updates to Canada’s Anti-Spam Legislation (CASL). Specifically, they target bulk SMS messages sent from long codes, i.e. ten-digit phone numbers like (236) 555-1212. This type of traffic, when sent from software applications as opposed to other people’s phones, is called A2P, or Application to Person.
The increase in regulations is impacting companies who use SMS to verify new user signups (a practice known as phone verification) and/or deliver codes as part of two-factor authentication (2FA) secured logins. Essentially, when you send out numerous similar looking messages, such as “123456 is your code to login” they’ll likely fall into these spam filters. What’s unfortunate is these codes are critical to your users trying to login or signup, if they get blocked, people cannot get into your application.
The new policy requires that this traffic should only be sent from short codes and that long codes are only for person-to-person messages. If you are using SMS to send codes for 2FA or phone verification and you have users in Canada, users will be blocked from signing up for your application or successfully completing an authentication.
Twilio has a solution to avoiding this issue. We have an API for two-factor authentication, called Authy and another for phone verification, called Verify. They are already configured with short codes and agreements with carriers to avoid blocking of verification and authentication SMS messages. These APIs are not just configured for Canada, but for all global destinations where short codes are supported and we constantly maintain them as policy changes. As such, using these APIs will not only resolve the current Canadian issue but also address potential future carrier policy changes in other countries.
You can read more about these APIs at;
We also have some ebooks which go into the subject in more depth