In Context

The next-generation communications blog from Nexmo

< Back

How to Build SMS 2FA That Won’t Scare Away Your Users

March 5, 2015 Published by

As the hackings of high-profile companies, such as Apple or Snapchat have shown, security is more important than ever for applications of all sizes. Many businesses, including the aforementioned companies, are turning to SMS-based authentication and number verification in order to secure their platforms and protect their users.

Two-factor authentication, or 2FA, works by combining multiple securing factors — in most cases something you know (a password) and something you have (a phone).

The ubiquity of the mobile phone makes SMS an effective tool for many apps and websites because of the balance it strikes between convenience and security.

For a primer on why companies are using SMS for their authentication needs, please see my previous post: Why 2FA?

I-Have-No-Idea-What-Im-Doing-1It’s simple…or is it?

While setting up an SMS-based authentication system is not necessarily difficult from a technical point of view, it can be difficult to balance the need for security and the potential for alienating users with a poor user experience.

We’ve analyzed over 2 billion verifications that have been performed through our SMS API and developed a comprehensive list of best practices to implement to ensure the highest conversion rate possible.

The How

How To Build 2FA V1 FinalWhen a user starts a login process, the application server first notices that 2FA is enabled for an account. At that point, the application service can generate a code (or an OTP), store it for later verification, and send the user an SMS (or TTS) via Nexmo’s API. At that point, the application server is aware of the code, but the user only has access to it if they are in possession of their phone. The user then provides the code and the application server verifies it matches the stored code (or, in the case of a OTP, may use an algorithm to verify it’s valid instead of storing the value).

When a user starts a login process, the application server first notices that 2FA is enabled for an account. At that point, the application service can generate a code (or an OTP), store it for later verification, and send the user an SMS (or TTS) via Nexmo’s API. At that point, the application server is aware of the code, but the user only has access to it if they are in possession of their phone. The user then provides the code and the application server verifies it matches the stored code (or, in the case of a OTP, may use an algorithm to verify it’s valid instead of storing the value).

Check out the handy quick guide below, or head to the link below for the full guide of best practices complete with screenshots and wireframes.

The Guide on How to Effectively Build SMS 2 Factor Authentication

 

Category Best Practice Description
Call Me Use TTS as a backup for SMS Sometimes SMS can’t be delivered or the person doesn’t know to check their messages.By using a text-to-speech call as backup when the user doesn’t enter a code, you canimprove conversion by as much as 15%.
Call Me Force the user into TTS or alternateauthentication after two attempts If your primary method of authentication doesn’t work the first two times, force theuser to try a different method.
General Use existing factors to verify all 2FA Prevent fraudulent account takeover by verifying account changes with existing factors.For example, if the user attempts to change their number, make sure to use any available information such as alternate email addresses to reduce the likelihood of fraudulent changes.
General Measure fluctuationsin conversion ratio By measuring and testing variables in your conversion process you can improve theamount of users you acquire. This means more revenue and less abandonment in the process.
General Utilize high quality SMS routes The world of international SMS is full of shady suppliers who will offer you extremely lowprices. With SMS, you get what you pay for. Ask for direct connections where possible to improve delivery rate and decrease message delivery latency.
General Send SMS in the local language Send instructions in the local language to avoid confusion.
Phone Number Entry Only allow one accountper phone number This is an easy way to prevent fraudulent account creation.  By requiring a valid phonenumber and limiting that number to one account, it prevents someone from creatingmultiple fraudulent accounts.
Phone Number Entry Pick a primary authenticationoption e.g. text or call Reduce user confusion by asserting a primary authentication method and usingthe other one as a backup.
Phone Number Entry Have a dropdown menufor country code Avoid having to make the user guess or research what country code they have.
Phone Number Entry Use Google phonelib Allow the user to select their country, then use Google phonelib to ensure the number is formatted properly
Phone Number Entry Tell customer they must usea mobile phone number Require a mobile phone number in order to receiver an SMS.
Resend Allow each user to request nomore than two SMS messages Each SMS costs money and if they don’t convert in two messagesits unlikely they will after more.
Resend Force the user to wait 60s fortheir code to arrive before being able to request another one Sometimes messages get delayed or the user makes a mistake, avoid sendingunnecessary repeat messages by adding a delay between requests.
Resend Accept both codes if a user requests 2 messages or send the same code twice If a user does request two codes, sometimes they will enter the older onefirst so it will help conversion rate if you send the same code twice or accept both.
Send SMS Add a dash in the middle of the numbers By adding a dash (for example 333-666) it makes it easier for the user to rememberwhen they are entering it in.
Send SMS/Call Me Tell the customer they are about to receive a text or call Reduce potential confusion and put them at the ready to receive the passcode.

Categorised in: ,

This post was written by