Menu

Expand
Rate this page:

Verification Channels

Choosing the right channels for your application can help increase 2FA adoption and keep your customers secure. Twilio's Verify API supports several independent channels for verification and authentication:

  1. SMS
  2. WhatsApp*
  3. Voice
  4. Email
  5. Push
  6. Time-based one-time passwords (TOTP)

Each channel has various pros and cons, covered below. Many companies offer an assortment of channels to their customers so that customers can choose their preferred channel.

SMS

SMS is the most popular channel for two-factor authentication (2FA). That's because most people can receive text messages and onboarding is seamless. Plus, SMS 2FA works: Google found that SMS 2FA helped block "100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks."

verify illustration

SMS has documented security weaknesses, which means it might not be the best choice for high profile end users like elected officials or celebrities. This is why we recommend offering a spectrum of 2FA options. Because SMS relies on telephony, deliverability and per-verification cost is dependent on underlying messaging infrastructure in the various countries where your business operates. In some countries like the US and UK, cost is low and deliverability is high so this might not be a concern. Software based solutions like TOTP and Push help mitigate this.

Get started with SMS.

        
        
        

        WhatsApp*

        The WhatsApp channel has many of the same usability benefits of SMS with the added bonus of being the most popular messaging service in over 100 countries. Adding WhatsApp for one-time passcode (OTP) delivery can boost your overall verification conversion rate because it works with just a WiFi connection.

        As a software channel, WhatsApp won't charge for undelivered messages and isn’t exposed to fraud that exploits the telecom network. Unlike the WhatsApp Business API you might use for customer support, Verify WhatsApp lets you start sending unthrottled OTPs right away.

        *WhatsApp is currently in Pilot. Learn more about how to get started with WhatsApp.

              
              
              

              Voice

              Voice is Twilio's primary backup to SMS for non-smartphone authentication. While SMS delivery rates vary over the globe, Voice is prioritized on carrier networks and gives the greatest reliability. To ensure there is a live user at the other end of the call and not a voicemail that can be intercepted, the Verify API will challenge a user with a random keypad digit before reading them the token.

              Voice supports localization for dozens of languages.

              Get started with voice.

                    
                    
                    

                    Email

                    One time passcodes (OTP) sent to email can help protect your users if their password is brute-forced or phished. Like SMS, it doesn't require downloading another app so onboarding will be quick and seamless.

                    The problem with email as a 2FA delivery channel is that the most common first factor, a password, can usually be reset via an email. That means that an attacker only has to compromise one factor, your email inbox, to take over your account. This can happen if they know your email account password or if they have access to a live session (e.g. if you leave your email logged into a shared computer). Learn more about email 2FA tradeoffs.

                    Get started with email.

                          
                          
                          
                          For additional setup instructions see twilio.com/docs/verify/email

                          Start a Verification with Email

                          For additional setup instructions see twilio.com/docs/verify/email

                          Push

                          Push authentication is the best solution for balancing user convenience and security. Authentication can happen through a 'push notification' or message sent to a device, alerting the user that authentication is being requested for some login or action. This is the only authentication channel that allows users to explicitly deny an authentication request, which could help alert your business to fraudulent activity. Push is also one of the fastest authentication channels and offers increased security compared to SMS, preventing "100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks" in Google's research.

                          push authentication gif

                          Push authentication uses public key cryptography, which means that each authentication request is tied to a device and the method is resistant to phishing. Authentication happens through a separate notification channel which opens the approval dialog so there is no need for the user to manually open an app and scroll to find your site.

                          Push authentication is a great solution for companies that already have a lot of mobile app users since you can embed the authentication workflow directly into your application. However the method does require additional development work and requires that your users have downloaded the application.

                          Get started with Push.

                          TOTP

                          Time-based one-time passcode (TOTP) is an excellent choice for users who can download an application for their mobile device or computer. Unique numeric passwords are generated with an algorithm that uses the current time as an input. This method relies on symmetric key cryptography and tokens automatically expire, offering increased security. As long as a device's time is synced, they will even work offline. Twilio's Authy app automatically counters clock drift and network time synchronization errors by opportunistically refreshing the clock whenever it has network access.

                          This method does require that the end user installs a special app like Authy or Google Authenticator, which some users may be unwilling to do. One study observed that TOTP setup was 2.5x slower than SMS for 2FA, which could discourage some users from enabling the second factor.

                          Even so, TOTP scored the highest usability rating among second factors. Overall TOTP is a solid option and we see a lot of security conscious companies adding TOTP as a 2FA option.

                          diagram showing how totp works

                          Get started with TOTP.

                          Questions?

                          Not sure which channel is right for you? Get in touch and we can help you decide.

                          Rate this page:

                          Need some help?

                          We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Community Forums or browsing the Twilio tag on Stack Overflow.

                                
                                
                                

                                Thank you for your feedback!

                                We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

                                Sending your feedback...
                                🎉 Thank you for your feedback!
                                Something went wrong. Please try again.

                                Thanks for your feedback!

                                Refer us and get $10 in 3 simple steps!

                                Step 1

                                Get link

                                Get a free personal referral link here

                                Step 2

                                Give $10

                                Your user signs up and upgrade using link

                                Step 3

                                Get $10

                                1,250 free SMSes
                                OR 1,000 free voice mins
                                OR 12,000 chats
                                OR more