Choosing the right authentication channels for your application can help increase 2FA adoption and keep your customers secure. Twilio's Verify API supports several independent channels for authentication:
- Time-based one-time passwords (TOTP)
Each channel has various pros and cons, covered below. Many companies offer an assortment of channels to their customers so that customers can choose their preferred channel.
SMS is the most popular channel for two-factor authentication (2FA). That's because most people can receive text messages and onboarding is seamless. Plus, SMS 2FA works: Google found that SMS 2FA helped block "100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks."
SMS has documented security weaknesses, which means it might not be the best choice for high profile end users like elected officials or celebrities. This is why we recommend offering a spectrum of 2FA options. Because SMS relies on telephony, deliverability and per-verification cost is dependent on underlying messaging infrastructure in the various countries where your business operates. In some countries like the US and UK, cost is low and deliverability is high so this might not be a concern. Software based solutions like TOTP and Push help mitigate this.
Voice is Twilio's primary backup to SMS for non-smartphone authentication. While SMS delivery rates vary over the globe, Voice is prioritized on carrier networks and gives the greatest reliability. To ensure there is a live user at the other end of the call and not a voicemail that can be intercepted, the Verify API will challenge a user with a random keypad digit before reading them the token.
Voice supports localization for dozens of languages.
One time passcodes (OTP) sent to email can help protect your users if their password is brute-forced or phished. Like SMS, it doesn't require downloading another app so onboarding will be quick and seamless.
The problem with email as a 2FA delivery channel is that the most common first factor, a password, can usually be reset via an email. That means that an attacker only has to compromise one factor, your email inbox, to take over your account. This can happen if they know your email account password or if they have access to a live session (e.g. if you leave your email logged into a shared computer). Learn more about email 2FA tradeoffs.
Push authentication is the best solution for balancing user convenience and security. Authentication can happen through a 'push notification' or message sent to a device, alerting the user that authentication is being requested for some login or action. This is the only authentication channel that allows users to explicitly deny an authentication request, which could help alert your business to fraudulent activity. Push is also one of the fastest authentication channels and offers increased security compared to SMS, preventing "100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks" in Google's research.
Push authentication uses public key cryptography, which means that each authentication request is tied to a device and the method is resistant to phishing. Authentication happens through a separate notification channel which opens the approval dialog so there is no need for the user to manually open an app and scroll to find your site.
Push authentication is a great solution for companies that already have a lot of mobile app users since you can embed the authentication workflow directly into your application. However the method does require additional development work and requires that your users have downloaded the application.
Time-based one-time passcode (TOTP) is an excellent choice for users who can download an application for their mobile device or computer. Unique numeric passwords are generated with an algorithm that uses the current time as an input. This method relies on symmetric key cryptography and tokens automatically expire, offering increased security. As long as a device's time is synced, they will even work offline. Twilio's Authy app automatically counters clock drift and network time synchronization errors by opportunistically refreshing the clock whenever it has network access.
This method does require that the end user installs a special app like Authy or Google Authenticator, which some users may be unwilling to do. One study observed that TOTP setup was 2.5x slower than SMS for 2FA, which could discourage some users from enabling the second factor.
Even so, TOTP scored the highest usability rating among second factors. Overall TOTP is a solid option and we see a lot of security conscious companies adding TOTP as a 2FA option.
Not sure which channel is right for you? Get in touch and we can help you decide.