We're excited to announce that we have expanded our Verify solution to include a Push channel. Built using trusted Public Key Cryptography, Verify Push enables customers to validate users during sign up, login, and transactions without the risks, hassles or costs of One-Time Passcodes (OTPs). This end-to-end API service allows customers to add a low-friction, secure, cost-effective, “push verification” factor into their application flows.
Companies use a One-Time Passcode (OTP) sent via SMS or Voice to confirm possession of a phone. With widespread prevalence of mobile phones capable of receiving an SMS or voice call, companies have for many years used these channels as primary options for a second factor in verifying user identity. Email is another great option for verifying users. With almost universal reach, it can supplement SMS and Voice as a verification channel.
Since its inception in 2015, Twilio Verify has been working with companies like Twitch, Shopify, and Stripe to fight signup abuse, account takeovers, and payments fraud with a fully-managed API solution for verifying users across multiple channels like SMS, Voice, and Email. Customers can add a second factor into their applications to authenticate a log-in, account access, or transaction.
These channels have their limitations however. Telco costs can be prohibitively high in some regions, while also being unpredictable. Depending on the geo-location of the end user, a customer’s cost to send an OTP can easily vary by orders of magnitude.
From a security perspective, SMS and Voice are vulnerable to SIM-swapping and OTP phishing. It’s becoming clear that SMS was not designed with the intent to securely transport data. In fact, as the European Economic Zone gets ramped up for the open banking framework PSD2, some member states have already relegated SMS as not compliant for Secure Customer Authentication.
There is also the concern around user experience. Did the user receive the OTP? It is not uncommon for an OTP to get delayed or maybe even never delivered at all, prompting a frustrated user to request multiple codes, all the while the customer is racking up Telco costs. With SMS and Voice, you have low visibility into the journey of OTP traffic, which can lead to higher costs for you and poor UX for your users.
Email addresses on the other hand don’t have high costs, and they also provide much better visibility. You know when the user has received, and even read the message. But on their own, provide little assurance that the verification request is in fact going to the intended recipient.
While SMS, Voice, and Email OTP is easy to deploy because everyone has a phone and/or an email address, these are not truly secure ways to access accounts.
Many Twilio customers have asked for a global verification solution that is secure, private, seamless, flexible, data-rich, and lower cost than SMS OTP. At the same time, they also want the flexibility and control to easily integrate into their existing application flows.
Verify Push enables companies to verify users by adding a low-friction, secure, cost-effective, second factor into your applications. This fully managed API service allows you to verify users in-app, actively or silently, via Push, eliminating the security risks, UX hassles, or Telco costs of One-Time Passcodes (OTPs).
You've probably experienced Push verification when using your Facebook or Google apps. Verify Push works in conjunction with your existing authentication implementation to allow you to add the same kind of functionality into your own application flows.
- Turnkey and Ready to Deploy
Built on Public Key Cryptography, Verify Push allows you to use a trusted standard without having to manage digital keys, secure digital identities, perform compliance audits, and ensure encryption. We build, secure and maintain all back-end services, including creation, protection, and onboarding, user/device lifecycle support, and rate limiting, so you don’t have to.
- Reduced Friction for Better UX
Verify Push makes secure logins simple for users. When accessing an app on their computer, they can authenticate themselves with one touch by simply approving or denying a push request that shows up on their phone. No codes to remember or manually enter.
When logging into an app on their phone, the authentication happens behind the scenes, so that the users have a completely silent, frictionless 2FA experience.
- Increased Security
Because Push verifications are fully encrypted and use a secure data channel, there are no codes to steal, and no risk of man-in-the-middle attacks. In fact, since Push provides contextual information, such as the method used to unlock the app, it is among the authentication factors with the highest level of assurance.
- Visibility and Control
Not only is Push faster and more reliable than SMS, it also provides detailed information, such as request status, device model, device name, and other valuable data around each verification. Even a denied verification request can offer valuable insight to feed into your risk models.
Since the authentication happens over a secure channel, and the UX for the end user is completely in the hands of the customer, Verify Push can be used to comply with Strong Customer Authentication requirements.
Crucially, Verify push can provide these benefits without requiring end users to provide personally identifiable information (PII) to a third party.
- Predictable Costs
Because Verify Push is a software based solution, it avoids the uncertainty around global telco costs, and provides a cost model that is scalable and predictable.
User Verification Beyond SMS
The pandemic has accelerated the shift from physical to digital, sharply increasing the scale and frequency of digital interactions. Organizations have to balance fighting fraud, and protecting users, while providing a seamless UX, and managing costs. Verify Push provides this balance, offering the most secure authentication method that fits easily into companies’ existing application flows. Future-proof your application’s security with Twilio Verify.