Passwords get stolen every day. Last year, hackers swiped over 2 billion accounts—that amounts to around 6.85 million stolen passwords per day and 158 per second.
But don't panic. That's why we verify with SMS. For those who don’t know, SMS just means texting. That’s right: you secure accounts instantly on your mobile phone through text message verification.
It’s simple: while passwords are relatively easy to steal, phones aren’t. That’s not to say no one ever loses their phone. Consumers lose around 70 million smartphones every year, and only 7% ever recover them. And while that number might sound alarming—and it is—it's significantly less than 2 billion.
With mobile SMS verification enabled, a hacker would need your username, password, and access to your phone (and they might even need a password to unlock your phone) to compromise your account. Simply having access to your password doesn’t allow them to verify with SMS.
That's a lot of protection for your data—and with everything you keep online, security is essential.
So back to SMS text verification. What is it, how does it work, and how can you offer it to your customers?
All great questions. Here are the answers.
What is SMS verification?
SMS text verification lets websites, apps, banks, and social networks double-check the identity of a user.
After entering your username and password, companies will send an SMS verification number to your smartphone. Use that number to complete your login. That’s SMS verification.
SMS verification goes by other names, too. You might hear it referred to as SMS authentication, SMS-based two-factor authentication (2FA), or SMS one-time password (OTP).
Still, mobile SMS verification isn't perfect. There are, admittedly, security risks (which we'll get into later) and costs to consider. But it's hard to beat for its ease and convenience. Plus, consumers have gotten used to this verification over the years, as it doesn't require any additional apps or services.
How does SMS verification work?
SMS text verification is simple. To sum it up in a few quick steps:
- Provide your phone number to a business during the sign-up process.
- Enter your username and password on the business' website or app to receive a one-time text verification number.
- Type that code into the app or website to complete the login process.
It's that easy. Give your phone number, get a text verification number, and sign on.
Pros of SMS authentication
SMS authentication might not be perfectly secure, but it has its advantages:
- Security: While mobile SMS verification isn't as secure as other modern-day alternatives, such as time-based one-time passwords (TOTP), it’s still more secure than a password alone.
- Ease: People have used SMS authentication for quite some time now and are used to typing these short codes into their devices. It's quick and easy.
- Affordability: SMS 2FA costs little to nothing. And since most consumers already have a mobile device, it requires no additional hardware or software.
Cons of SMS authentication
While SMS authentication might be secure, easy, and inexpensive, there are a few potential downsides:
- Vulnerabilities: SIM swapping (fraud) and hacking can compromise an account (fortunately, our lookup SIM swap can save the day).
- Lost devices: People lose their devices all the time—see above—which could keep them locked out and/or compromise their security.
- Synced devices: Many people receive their text messages on multiple devices (e.g., laptop, computer, mobile device, or watch). This variance makes it easier for bad actors to intercept a customer’s SMS verification number.
How to choose an SMS verification service
With so many SMS text verification services, how do you find the right one for your business to authenticate users? Here are a few things to look for:
- Fast, reliable delivery: One-time passcodes are often time-sensitive, meaning users may have only minutes to enter the code before it expires. If you send thousands of SMS 2FA messages to customers, you need a verification service that can scale without sacrificing speed.
- Security: Mobile SMS verification messages need to be secure. If not, attackers can intercept unprotected messages and use the code to gain access to your users’ accounts. Work with a verification service that's SOC 2 compliant (the gold standard for data security).
- Top-notch support: When something goes wrong, you need a service provider that can assist immediately.
- Alternate channels: Users might not want to use their phone for verification purposes—and that's just fine. Use a provider with other 2FA options, such as email, push, or TOTP.
Secure SMS two-factor authentication with Twilio Verify
Want an SMS verification service that checks all the boxes? Try secure 2FA with Twilio Verify.
Yes, we know we're a bit biased, but hear us out.
Verify lets you validate your users with SMS, voice, email, push, and TOTP with a single application programming interface (API). You can also use carrier-approved, templated messages to ensure your SMS verification numbers don't get tied up in the message filters.
Plus, you can send messages globally without any hiccups, thanks to Twilio's automatic translation and global regulations compliance.
What’s more, you can integrate the Verify API into your sign-up flow to capture (and confirm) phone numbers during the onboarding process. This makes security a priority from the get-go rather than an afterthought and SMS text verification a lot simpler.
Want to learn more? Check out our Twilio Verify page for all the details.
How to get started with an SMS verification API
Ready to get started with an SMS text verification API? Say no more. Check out our code samples and follow an easy 3-step process:
- Choose a language and view the code on GitHub or in a zip file:
- Use your API key. If you don’t have an API key, get one for free here.
- Set up the code sample locally, following these setup instructions.
Frequently asked SMS verification questions
SMS verification is relatively straightforward, but that doesn't mean you won't have questions. Here’s what customers most often ask when first presented with SMS text verification.
1. Is SMS secure?
SMS verification is more secure than passwords alone, although it has its vulnerabilities. Hackers need physical access to your phone to get into your account, but once they have your phone, it becomes that much easier.
Hackers can also transfer your number to a new phone if they get access to your personal information (like a Social Security number) and use that new device to trigger a text verification number.
If you want high-level security, we recommend using a solution like Verify. Verify lets you use other less-vulnerable verification methods, such as TOTP.
2. What do I do if I haven’t received my SMS verification code?
First, make sure that you have a strong cell phone signal—that's the most common culprit. Next, confirm the website or app has the right phone number—those sneaky typos can cause big headaches. Lastly, ensure your mobile provider isn't blocking messages from certain senders or number types.
If those recommendations don't work, you can use an alternate verification channel, such as voice, email, or TOTP.
3. How do you bypass SMS verification?
Do you want to access a website or app but don't want to share your personal phone number? Set up a temporary phone number with Twilio—it only takes about 3 minutes.
Find more SMS verification resources
Twilio offers many resources to improve your ability to verify with SMS, namely with the aptly-titled Twilio Verify. Verify provides a framework to verify users through multiple channels with a single API, making it easier to enhance security for your customers’ accounts at scale while saving time.
To learn more about how Twilio Verify can help make your customers’ accounts more secure, consult:
- Verify a User Via SMS With Express and Twilio Verify
- Send an SMS Verification Code in 5 Minutes
- App Verification With Twilio SMS
- Verification and two-factor authentication best practices
Want to learn more about what you can do with SMS? Check out our guide to SMS Marketing for Beginners.
When you’re ready to get started, contact our Twilio experts.