Best Practices for SMS and Voice-based Two-Factor Authentication

Security best practices call for organizations to use two-factor authentication (2FA) before permitting authorized users to access their digital assets, but for 2FA to work securely, businesses need a reliable second channel. For many organizations, 2FA involves the use of one-time passwords (OTP) as a secondary verification method, on top of usernames and passwords. Often, businesses generate and get confirmation of OTPs through messages sent through voice and SMS channels. The theory is that having a separate, unconnected authentication channel makes it difficult for malicious actors to compromise secure systems.

It’s critical that every 2FA voice and SMS OTP message gets delivered quickly. But it’s more than just sending messages — there’s a lot that goes into 2FA behind the scenes to ensure that those messages arrive within the 10-to 15-second window that avoids disruption is the customer experience. For that to happen, the communications platform has to be able to identify invalid phone numbers, discover the fastest routes for optimal message delivery, and support high throughput for delivering high volumes of messages and in a timely manner. Let’s look at what that means for the components that make up the platform.

Phone Number Validation 

Communications platforms need to look up and validate the phone numbers users provide for 2FA. They should offer an API that handles number validation and formatting, accesses carrier information, and retrieves the portability information associated with a phone number. The API should use multiple sources to return the most accurate response for a given lookup type: for number validation and formatting, for example, it can use international numbering plan data, and for carrier information it can use mobile number portability and numbering plan data from each country’s phone number regulator. The goal is to retrieve the most accurate and up-to-date data for each query.

Efficient, Dynamic Routing 

Businesses can and should support multiple carriers for high availability. Having multiple carriers offers another benefit — it gives a communications platform routing options. The platform can then offer dynamic routing capabilities to ensure that all messages are delivered over the best-performing carrier route to the destination mobile network. That’s especially critical with 2FA, because people expect to receive their authorization messages immediately, and any delay impedes their ability to accomplish their tasks. In an ideal world, the platform would be able to identify that, for example, carrier A has a conversion rate of 85% and carrier B 94%, and intelligently choose carrier B to ensure the lowest latency. How can a communications platform determine the most efficient carrier route?

One technique is to deploy handsets as global test nodes across all the countries with multiple carriers, using real phone numbers from carriers local to each region. The platform can then send messages to the test nodes and receive back results that confirm voice and SMS deliverability, report speed of deliverability, give confirmation of sender ID, and indicate correct message concatenation, as well as character set.

The platform can also get feedback from delivered messages. With this approach, developers can mark OTP messages as trackable. Then, when a user successfully authenticates their account using a verification code from the platform, the result gets reported back. Especially in countries where carrier networks are generally unstable, this feedback can play an important role in choosing a carrier to ensure consistently high delivery rates for 2FA and OTP SMS messages.

Messaging at Scale 

As an organization grows, it can find itself sending large volumes of messages — hundreds of thousands or more at a time. Its communication platform must be able to automate the complex logic of making SMS and calls distribution effective and reliable at scale. Often the organization grows not just vertically but horizontally, expanding into new markets, which may be served by different telecom carriers. Each region has different regulations, each carrier has different capabilities, and this will often be dictated by the type of phone number you’re using to send either the SMS or Voice message (toll-free vs short codes vs long codes). 

To support enterprise messaging demands, a communications platform can use a pool of phone numbers from multiple carriers, and automatically route messages to recipients using the phone number that’s most convenient for them, ensuring a high deliverability rate. The pool should be able to support various phone number types in different regions or area codes, and the platform should be able to prioritize phone numbers that match subscribers’ regions and area codes, while also taking into consideration carrier restrictions, for more efficient communications.

Ensuring efficient, reliable message delivery

Plivo addresses all of these factors with a robust API platform and global carrier network. Specifically: 

  • Number validation— Plivo’s Lookup API provides real-time phone number validation to reduce fraud and improve conversion
  • Message routing — Plivo’s Conversion Feedback API enables a customer feedback loop and brings message conversation data into the platform, while our global test nodes constantly test carrier networks and relay the results into our network automatically. Our dynamic routing algorithm uses this combined data to proactively route SMS and voice messages ensuring optimal and timely delivery.
  • High-volume messaging — Powerpack ensures reliable SMS and MMS distribution at scale

A solid communications platform is key to implementing 2FA using voice and SMS channels. Behind the scenes, a lot goes into ensuring delivery of the messages that support 2FA for network security. Plivo’s APIs are architected to work in tandem with infrastructure that ensures deliverability and enhances reliability. Learn more about how Plivo can help you add 2FA capabilities to your communications infrastructure.

comments powered by Disqus