Skip to main content


One-time passwords (OTPs) delivered as text messages are the simplest way to add a second factor to your authentication flow.


Use SMS only for second-factor authentication method. Never use SMS for sensitive transactions.

SMS OTPs overview

Compared to traditional username and password login scenarios, adding a second factor is a big step up in terms of security. Although SMS OTP cannot match the convenience or the security of more sophisticated methods, they have the advantage of relying on nothing but cell service on the user device.

We recommend SMS OTPs as an authentication method only if the following are true for your business:

  • You do not want your users to install yet another app.
  • You do not want to rely on any user device capabilities.
  • You do not want to invest in major technical development.

As SMS OTP is more susceptible to bot attack, use it only with solid protection, such as CAPTCHA.

Why use SMS OTP

SMS OTPs continue to function when mobile devices have no Internet access and when all of their biometric and push service capabilities are disabled. There is also no need to download or install any additional applications, both the registration and transaction approval flows are purely text message based.

SMS OTP Considerations

SMS OTPs are more vulnerable to attacks than modern authentication methods. Therefore, we recommend implementing one or more of the following methods instead:

Registration and authentication flow

To get started, you need the following information available:

  • Instance ID
  • Access Key

For more information on the instance ID and the Access Key, see the API documentation.

To implement and use SMS OTPs, see the instructions on the following pages:

  1. Register a phone number
  2. Authenticate with SMS

Customize your SMS configuration

For your Authentication Cloud instance you can request custom configurations for the the SMS service to suit your business needs. The following settings can be customized:

Customizable parameterDefault value
Displayed name of the SMS senderN/A
Maximum length of the SMS160 characters
Number of digits of the verification code sent in the SMS7 digits
Number of seconds the SMS code is valid for60 seconds
Maximum number of SMS sent per minute for a user3
Maximum number of SMS sent per day for a user10
Maximum number of SMS sent per minute for an instance10
Maximum number of SMS sent per day for an instance30

Setting a maximum value for the number of SMS requests within a certain time frame is called SMS rate limiting. Using SMS rate limiting has the following benefits:

  • Protection against brute-force attacks
  • Protection against high system load and possible Denial of Service (DoS)
  • Cost control