What we learned from adding WhatsApp verification to the Authy App

What we learned from adding WhatsApp verification to the Authy App

Twilio's Authy application helps users manage TOTP authentication with a friendly interface and an account that can be transferred between phones. It's an app for authentication, but we still need to verify end user accounts and one of the ways we verify Authy accounts is with a phone number. While SMS verification is incredibly useful, SMS costs vary by country and not all users have reliable cellular coverage. We wanted to explore new verification channels where users might not prefer SMS.

WhatsApp is quickly achieving ubiquity with over 2 billion users across 180 countries. We decided to test WhatsApp verification by adding it to our Authy App last year. This blog post will describe the results of that experiment and what adding WhatsApp verification might look like in your own application.

We saw overall improvement in three key areas from adding WhatsApp:

1. Strong user adoption and user experience
2. Improved verification conversion rates
3. Decreased fraud and better security

Our research shows this is due to overall penetration in certain markets, Wi-Fi fallback in areas with poor cellular connectivity and general user preference.

General benefits of using WhatsApp compared to SMS

Users often prefer OTT (over-the-top) messaging services like WhatsApp because they are free and accessible via Wi-Fi. This means you can receive a WhatsApp message where Wi-Fi is available but cellular signals are weak or nonexistent, like in a remote area or on an airplane. WhatsApp is often faster than SMS and is end-to-end encrypted so offers additional security.

In addition to encryption, WhatsApp offers more security benefits: every WhatsApp user is identified by a unique phone number that they provide at account creation. WhatsApp verifies these phone numbers with its own set of robust fraud prevention tools. This means you're outsourcing a portion of the identity assurance to WhatsApp and can directly replace SMS with WhatsApp verification.

Experiment design for WhatsApp verification

During the experiment we presented an option to users in the experiment group to verify their account with a WhatsApp message. This replaced the previous suggested verification option of using SMS.

After a user selects WhatsApp, we send an OTP message via WhatsApp to their device. The experience is incredibly similar to receiving an SMS OTP and on Android phones the user is even provided the code without leaving the app.

Here's an example of the messages on SMS and WhatsApp respectively:

Detecting if the user has WhatsApp installed

To improve user experience and default to WhatsApp, you can determine whether the user has WhatsApp installed on the same device your app is running on. Follow the instructions for iOS and Android to determine if a package is installed. Here's an example WhatsApp detection implementation for Android:

If we detect WhatsApp we reorder the OTP menu options so that WhatsApp is more prominent than SMS.

Experiment results

The experiment ran for 14 weeks. In that time we saw strong user adoption, improved conversion rates, and decreased fraud.

Strong user adoption and user experience

During the experiment we sent about 2,000 WhatsApp messages per day globally. Adoption was particularly strong in countries with large WhatsApp usage like Brazil, India, Indonesia, and Germany. We saw anywhere from 20-40% of users in these countries choose the WhatsApp option. Users often prefer WhatsApp over traditional SMS (American reliance on SMS is an outlier) since WhatsApp is free for users and can be accessed via Wi-Fi.

Improved verification conversion rates

Conversion rates (the number of users who entered the correct OTP divided by the number of users who were sent an OTP) meaningfully increased when we added WhatsApp. One reason for the improvement is that WhatsApp works on WiFi when there is no cellular connection which allows more people to receive a message in a timely manner.

Decreased fraud and better security

WhatsApp is a modern, IP-based network that isn’t exposed to fraud that exploits the SMS telecom network like SMS pumping fraud. We saw this first hand with Authy where the SMS conversion rate experienced a big drop in a country due to fraud, but the WhatsApp conversion rate didn’t change.

WhatsApp also provides end-to-end encryption. This means users can't have their OTPs stolen from man-in-the-middle (like SS7) attacks. Carriers can read an SMS message as it moves through their systems while not even WhatsApp can read its messages.

WhatsApp also provides robust user verification at sign up, which provides additional assurance and fraud prevention. Using a comprehensive set of potential fraud signals like IP address and account age, WhatsApp automatically detects 75% of the 2 million accounts it bans each month. This makes it harder for users to bypass phone verification with burner phones, among other things.

Known limitations of WhatsApp verification

Not every user has a WhatsApp account. While you can detect whether the WhatsApp application is installed on mobile (see above), WhatsApp does not have an API to determine if an account exists prior to sending a message. Fortunately, WhatsApp does not charge for failed message attempts to accounts that don't exist while SMS does charge carrier fees for undelivered messages.

Pricing also varies by country for both SMS and WhatsApp: we saved money by adding WhatsApp in certain countries like Israel and decided the user experience win was worth it for the countries where SMS is cheaper like the US. Even when WhatsApp is more expensive, using it as a backup option to guarantee OTP delivery can ultimately save you money and delight your users.

Add WhatsApp to your verification workflow

Luckily you can send both SMS and WhatsApp OTPs seamlessly with Twilio's Verify API and a few lines of code. You don't even need an approved WhatsApp Business Account to get started, that's included behind the scenes with the Verify API.

Here is an example verification with the Twilio CLI (more examples in additional languages in the documentation):

Collect the verification code from the user and check the verification (channel agnostic) with one more API call.

Conclusions

We saw overall improvement from adding WhatsApp, which worked because of:

1. Strong WhatsApp usage as a communication method in certain markets
2. Wi-Fi fallback in areas with poor cellular connectivity
3. General user preference

There were some markets where we didn't see improvements, which is why we ultimately recommend having an intelligent, multi-channel fallback system customized to each user.

Offering multiple channels is good, but smartly picking the right channel for each user is even better. Stay tuned for more on this front from the Twilio Verify team (or get in touch for more information) and we can't wait to see what you build and secure.