One-time passwords (OTPs) delivered as text messages are the simplest way to add a second factor to your authentication flow.
Use SMS only for second-factor authentication method. Never use SMS for sensitive transactions.
Use SMS OTPs if you
Compared to traditional username and password login scenarios, adding a second factor is a big step up in terms of security. Although SMS OTP cannot match the convenience or the security of more sophisticated methods, they have the advantage of relying on nothing but cell service on the user device.
We recommend SMS OTPs as an authentication method only if the following are true for your business:
- You do not want your users to install yet another app.
- You do not want to rely on any user device capabilities.
- You do not want to invest in major technical development.
As SMS OTP is more susceptible to bot attack, use it only with solid protection, such as CAPTCHA.
Why use SMS OTP
SMS OTPs continue to function when mobile devices have no Internet access and when all of their biometric and push service capabilities are disabled. There is also no need to download or install any additional applications, both the registration and transaction approval flows are purely text message based.
SMS OTP Considerations
SMS OTPs are more vulnerable to attacks than modern authentication methods. Therefore, we recommend implementing one or more of the following methods instead:
Registration and authentication flow
To get started, you need the following information available:
- Instance ID, see Endpoint
- Access Key, see Authentication
To implement and use SMS OTPs, see the instructions on the following pages: