We're excited to announce that we have expanded the Verify API solution to include Time-based One-time Passcodes (TOTP) – now in Public Beta. This end-to-end API service allows companies to add a secure and cost-effective second factor into their application flows. TOTP is also known as app based authentication, software tokens, or soft tokens.
Soft tokens work by having a user store a secret key in an authenticator app, which is then used to generate expiring codes that use the secret key and current system time as inputs.
TOTP is a common form of two-factor authentication (2FA). The time-based passcodes are available offline and provide user friendly account security when used as a second factor. This means that Verify TOTP does not rely on cellular data or WiFi for code delivery, and end-users can verify anywhere, anytime.
Verify TOTP allows user verification via third-party authentication applications, eliminating telecom costs of One-Time Passcodes (OTPs). Because Verify TOTP is a software based solution, it avoids the uncertainty around global telecom costs, and provides a cost model that is scalable and predictable. Authentication apps like Authy and Google Authenticator support the TOTP standard.
Beyond SMS One-Time-Passcodes
Traditionally, SMS has been the primary method to send OTPs to ensure a user is who they say they are. However, while SMS may be a familiar and ubiquitous channel for two-factor authentication, it has its limitations.
How do you know if the user received the OTP? An SMS OTP can get delayed or never delivered at all, prompting a frustrated user to request multiple codes, resulting in businesses incurring increased telecom costs. SMS is also vulnerable to SIM-swapping and phishing attacks, and has low visibility into the journey of OTP traffic, which can lead to higher support costs and poor UX for users.
Since its inception in 2015, Twilio Verify has been working with companies like Twitch, Deliveroo, and Stripe to fight signup abuse, account takeovers, and payments fraud with a fully-managed, multichannel API for verifying users across SMS, Voice, Email, Push authentication, and now TOTP. Customers can add a second factor into their applications to authenticate a log-in, account access, or transaction.
Start building secure and trusted interactions
The accelerated shift from physical to digital has dramatically increased the scale and frequency of digital engagements. Businesses must find ways to end the trade off between fighting fraud, and protecting users, while providing a seamless UX, and managing costs. Twilio Verify empowers you to offer the most secure authentication method that easily fits into your existing application flows. Future-proof your application’s security with Twilio Verify.
We can’t wait to see what you build!