Best Practices for SMS and Voice-Based Two-Factor Authentication
-
2FA
- 16 Nov 2020
Security best practices call for organizations to use two-factor authentication (2FA) before permitting authorized users to access their digital assets — but for 2FA to work securely, businesses need a reliable second channel. For many organizations, 2FA involves the use of one-time passwords (OTP) as a secondary verification method, on top of usernames and passwords. Often, businesses generate and get confirmation of OTPs through messages sent through voice and SMS channels. The theory is that having a separate, unconnected authentication channel makes it difficult for malicious actors to compromise secure systems.
It’s critical that all 2FA voice and SMS OTP messages get delivered quickly. A lot goes on behind the scenes to ensure that those messages arrive within the 10- to 15-second window that avoids disruption is the customer experience. For that to happen, a communications platform has to be able to identify invalid phone numbers, discover the fastest routes for optimal message delivery, and support high throughput for delivering high volumes of messages and in a timely manner.
Let’s look at what that means for the components that make up the platform.
Phone number validation
Communications platforms need to look up and validate the phone numbers users provide for 2FA. They should offer an API that handles number validation and formatting, accesses carrier information, and retrieves the portability information associated with a phone number. The API should use multiple sources to return the most accurate response for a given lookup type: for number validation and formatting, for example, it can use international numbering plan data, and for carrier information it can use mobile number portability and numbering plan data from each country’s phone number regulator. The goal is to retrieve the most accurate and up-to-date data for each query.
Efficient, dynamic routing
Businesses can and should support multiple carriers for high availability. Having multiple carriers offers another benefit — it gives a communications platform routing options. The platform can offer dynamic routing to ensure that all messages are delivered over the best-performing carrier route to the destination mobile network. That’s especially critical with 2FA, because people expect to receive their authorization messages immediately, and any delay impedes their ability to accomplish their tasks. In an ideal world, the platform would be able to identify that, for example, carrier A has a conversion rate of 85% and carrier B 94%, and intelligently choose carrier B to ensure the lowest latency. How can a communications platform determine the most efficient carrier route?
One technique is to deploy global test nodes across all countries that have multiple carriers, using real phone numbers from carriers local to each region. The platform can then send messages to the test nodes and receive back results that confirm voice and SMS deliverability, report speed of deliverability, give confirmation of sender ID, and indicate correct message concatenation.
The platform should also use feedback from delivered messages. With this approach, developers can mark OTP messages as trackable. Then, when a user successfully authenticates their account using a verification code from the platform, data gets reported back. Especially in countries where carrier networks are generally unstable, this feedback can play an important role in choosing a carrier to ensure consistently high delivery rates for 2FA and OTP SMS messages.
Messaging at scale
As an organization grows, it can find itself sending large volumes of messages — hundreds of thousands or more at a time. Its communication platform must be able to automate the complex logic of making text and call distribution effective and reliable at scale. Often the organization grows not just vertically but horizontally, expanding into new markets, which may be served by different telecom carriers. Each region has different regulations, each carrier has different capabilities, and these different constraints often factor into the type of phone number (long code, toll-free, short code) that businesses use to send SMS or voice messages.
To support enterprise messaging demands, a communications platform can use a pool of phone numbers from multiple carriers, and automatically route messages to recipients using the phone number that’s most convenient for them, ensuring a high deliverability rate. The pool should be able to support various phone number types in different regions or area codes, and the platform should be able to prioritize phone numbers that match subscribers’ regions and area codes, while also taking into consideration carrier restrictions, for more efficient communications.
Ensuring efficient, reliable message delivery
Plivo addresses all of these factors with a robust API platform and global carrier network. Specifically:
- Number validation— Plivo’s Lookup API provides real-time phone number validation to reduce fraud and improve conversion
- Message routing — Plivo’s Conversion Feedback API sets up a customer feedback loop and brings message conversation data into the platform, while our global test nodes constantly test carrier networks and relay the results into our network automatically. Our dynamic routing algorithm uses this data to proactively route SMS and voice messages to the best carriers for optimal, timely delivery.
- High-volume messaging — Powerpack ensures reliable SMS and MMS distribution at scale.
A solid communications platform is key to implementing 2FA using voice and SMS channels. Plivo’s APIs work in tandem with carrier and network infrastructure to ensure reliable deliverability. See for yourself how well it works — sign up now for a free trial.