SMS OTPs
One-time passwords (OTPs) delivered as text messages are the simplest way to add a second factor to your authentication flow.
Use SMS only for second-factor authentication method. Never use SMS for sensitive transactions.
SMS OTPs overview
Compared to traditional username and password login scenarios, adding a second factor is a big step up in terms of security. Although SMS OTP cannot match the convenience or the security of more sophisticated methods, they have the advantage of relying on nothing but cell service on the user device.
We recommend SMS OTPs as an authentication method only if the following are true for your business:
- You do not want your users to install yet another app.
- You do not want to rely on any user device capabilities.
- You do not want to invest in major technical development.
As SMS OTP is more susceptible to bot attack, use it only with solid protection, such as CAPTCHA.
Why use SMS OTP
SMS OTPs continue to function when mobile devices have no Internet access and when all of their biometric and push service capabilities are disabled. There is also no need to download or install any additional applications, both the registration and transaction approval flows are purely text message based.
SMS OTP Considerations
SMS OTPs are more vulnerable to attacks than modern authentication methods. Therefore, we recommend implementing one or more of the following methods instead:
Registration and authentication flow
To get started, you need the following information available:
- Instance ID
- Access Key
For more information on the instance ID and the Access Key, see the API documentation.
To implement and use SMS OTPs, see the instructions on the following pages:
Customize your SMS configuration
For your Authentication Cloud instance you can request custom configurations for the the SMS service to suit your business needs. The following settings can be customized:
| Customizable parameter | Default value |
|---|---|
| Displayed name of the SMS sender | N/A |
| Maximum length of the SMS | 160 characters |
| Number of digits of the verification code sent in the SMS | 7 digits |
| Number of seconds the SMS code is valid for | 60 seconds |
| Maximum number of SMS sent per minute for a user | 3 |
| Maximum number of SMS sent per day for a user | 10 |
| Maximum number of SMS sent per minute for an instance | 10 |
| Maximum number of SMS sent per day for an instance | 30 |
Setting a maximum value for the number of SMS requests within a certain time frame is called SMS rate limiting. Using SMS rate limiting has the following benefits:
- Protection against brute-force attacks
- Protection against high system load and possible Denial of Service (DoS)
- Cost control