Passwords get stolen every day. In 2018, hackers swiped 2.5 billion accounts—that amounts to around 6.85 million stolen passwords per day and 158 per second.
Now don't panic. That's why we have SMS verification.
See, while passwords are relatively easy to steal, phones aren’t. Consumers lose around 70 million smartphones every year, and only 7% recover them.
While that number might sound alarming (because it is), it's significantly less than 2.5 billion. With SMS verification enabled, a hacker would need your username, password, and access to your phone (and they might even need a password to unlock your phone).
That's a lot of obstacles to access your sensitive online data.
So back to SMS verification. What is it, how does it work, and how can you offer it to your customers?
Great questions. We have answers down below.
What is SMS verification?
SMS verification lets websites, apps, banks, and social networks double-check the identity of a user.
After entering your username and password, companies will send an SMS verification code to your smartphone. Use that code to complete your login—this process is SMS verification.
SMS verification goes by other names, too. You might hear it referred to as SMS authentication, SMS-based two-factor authentication (2FA), or SMS one-time password (OTP).
Still, SMS verification isn't perfect. There are security risks (which we'll get into later) and costs to consider, but it's hard to beat its ease and convenience. Consumers have gotten used to this form of verification over the years because it doesn't require downloading any additional apps or services.
How does SMS verification work?
SMS verification is simple. Here's what the process looks like:
- Provide your phone number to a business during the sign-up process.
- Enter your username and password on the business' website or app, and it sends you a one-time SMS authentication code.
- Type that code into the app or website to complete the login process.
It's that simple.
Pros of SMS authentication
SMS authentication might not be the most secure verification method out there, but it has its advantages:
- Secure: While SMS authentication isn't as secure as other modern-day alternatives, such as time-based one-time passwords (TOTP), it’s still more secure than a password alone.
- Easy: People have been using SMS authentication for quite some time now, and they're used to typing these short codes into their devices. It's quick and easy.
- Inexpensive: SMS two-factor authentication costs little to nothing. And since most consumers already have a mobile device, it requires no additional hardware or software.
Cons of SMS authentication
While SMS authentication might be secure, easy, and inexpensive, it has its downsides:
- Vulnerabilities: SIM swapping (fraud) and hacking can compromise an account.
- Lost devices: People lose their devices all the time, which could keep them locked out and/or compromise their security.
- Synced devices: Since many people receive their text messages on multiple devices (e.g., laptop, computer, mobile device, watch, etc.), it makes it easier for bad actors to intercept their SMS messages.
How to choose an SMS verification service
With so many SMS verification services to choose from, how do you find the right one for your business to authenticate users? Here are a few things to look for:
- Fast, reliable delivery: One-time passcodes are often time bound, meaning users need to enter the code soon before it expires. If you're sending thousands of SMS 2FA messages to customers, you need a verification service to support that scale without sacrificing speed.
- Security: Messages need to be transmitted securely to the users. If not, attackers can intercept unprotected messages and use the code to gain access to your users’ accounts. Work with a verification service that's SOC 2 compliant (the gold standard for data security).
- Top-notch support: When something goes wrong, you need a service provider that can assist immediately.
- Alternate channels: Your users might not want to use their phone for verification purposes—and that's just fine. Use a provider with other 2FA options, such as email, push, or time-based one-time passwords (TOTP).
Secure SMS two-factor authentication with Twilio Verify
Want an SMS verification service that checks all the boxes? Try secure 2FA with Twilio Verify.
Yes, we know we're a bit biased, but hear us out.
Verify lets you validate your users with SMS, voice, email, push, and TOTP with a single application programming interface (API). You can also use carrier-approved, templated messages to ensure your passcodes don't get tied up in the message filters.
Plus, you can send messages globally without any hiccups, thanks to Twilio's automatic translation and global regulations compliance.
Even better, you can integrate the Verify API into your sign-up flow to capture (and confirm) phone numbers during the onboarding process. This makes security a priority from the get-go rather than an afterthought.
Want to learn more? Check out our Twilio Verify page for all the details.
How to get started with an SMS verification API
Ready to get started with an SMS verification API? Say no more. Check out our code samples and follow an easy 3-step process:
- Choose a language and view the code on GitHub or in a zip file:
- Use your API key:
- If you don’t have an API key, we can get you one for free.
- Set up the code sample locally:
- Follow these setup instructions.
Frequently asked SMS verification questions
SMS verification is relatively straightforward, but that doesn't mean you won't have questions. We did our best to think of what's on your mind and provide answers up front.
1. Is SMS secure?
SMS verification is more secure than passwords alone, but it has its vulnerabilities. For example, hackers can steal mobile phones to access an account. They can also transfer your number to a new phone if they get access to your personal information (like a Social Security number) and use that new device to trigger an SMS verification code.
If you want high-level security, we recommend using a solution like Verify. Verify lets you use other less-vulnerable verification methods, such as TOTP.
2. What do I do if I haven’t received my SMS verification code?
First, make sure that you have a strong cell phone signal—that's the most common culprit. Next, confirm the website or app has your correct phone number—those sneaky typos can cause big headaches. Lastly, ensure your mobile provider isn't blocking messages from certain senders or number types.
If those recommendations don't work, we suggest using an alternate verification channel, such as voice, email, or TOTP.
3. How do you bypass SMS verification?
Do you want to access a website or app but don't want to share your personal phone number? Set up a temporary phone number with Twilio—it only takes about 3 minutes.