Although phone verification with our Verify API and two-factor authentication with the Authy API use similar delivery mechanisms, they are each best suited for fundamentally different tasks. This article breaks down the differences between the two account security services and sheds some light on the situations where you'd pick one over the other.
The fundamental litmus test for choosing between the two services is whether your relationship with a user will continue for a while.
- Verify (Phone Verification) is best used for proving the ownership of phone numbers for new accounts, short term events or transactions, such as user registration. It provides SMS and Voice channels for one-time passwords. Its primary use is for phone verification.
- Authy (Two-factor Authentication) is a more complete authentication API and is best for ongoing relationships with a customer, for example log-ins and step-up transactions. Authy provides SMS and Voice time-based one-time passwords (OTP) as well as soft token (TOTP) and push authentication channels. It also creates an
authyid, a specific identity in our API to keep track of how the user authenticates. Its primary use is two-factor authentication (2FA).
Phone verification is best employed when your customer relationship is ephemeral or temporary, such as user registration or some forms of one time device-present transactions.
With Twilio Verify, no user identity is created for the phone number you are verifying. While appearing similar to a One-Time Password from the Authy API, Verify is only confirming that the device is present when a user completes a verification.
Primarily, account verification works best to reduce fraud in user registration - it's a service to help you reduce security problems with your application. As you are checking that a registering user actually has a device present, you reduce registration spam to your web application. There is also an element of user protection; as you are checking a device is active and in possession, you avoid problems for future registered users with previously registered phone numbers.
Two-factor Authentication works best when you have - or plan to have - an ongoing relationship and authentication history with a customer. Commonly, this may be for user log-ins, step-up protection on high-value transactions, passwordless logins, or periodic user verification. 2FA also covers more edge cases without reducing trust through multiple device support and additional channels compared with phone verification.
When you first register a user with Authy, you are returned a user identity (
authyid) which you store in your application. Unlike the Verify API,
authyids are your ongoing touchpoint with users when you need to verify they still have their device in their possession. Having an unchanging ID means they can use the Authy app or Authenticator SDK for higher security 2FA channels, such as soft tokens and push authentications.
Of course, not all use cases will follow this same template. Always feel free to get in touch and discuss your unique application needs and where to best employ Verify and/or Authy.