The most straightforward way to get users to use 2FA is to enable it via SMS PIN codes. It’s common for businesses that provide online accounts or mobile apps to ask for phone numbers to verify new users through SMS PIN codes. The main reason being that SMS with its high reach has an extremely high chance that the person will be able to use it for verification.
They’re turning to the same technology for two-factor authentication – that is, send an SMS PIN code every time a user logs into an account, whether from a web browser or an app.
Messente’s API does both phone number verification and two-factor authentication from the same API. Technically, they both do the same thing, but the logic from the users’ perspective is that they’re verified with a PIN code when the account is created, then they “authenticate” every time they log in with a password and a PIN code. This way, the second layer of protection is enabled against both fraudulent account creating and unwanted access by a malicious perpetrator.
How 2FA mobile apps work
2FA mobile apps, such as Verigator, don’t use SMS PIN codes for two-factor authentication, though. They use six-digit one-time passwords that expire after a certain time, usually 30-60 seconds.
These time-based one-time passwords (TOTP) are calculated independently by both the Verigator app and Messente’s API, so they’re safe from SS7 vulnerabilities, which have put SMS under some scrutiny. Though the matter has been blown a bit out of proportion as the methods for interception are still rather challenging to deploy and are super rare in actuality.
Only the user entered TOTP is transmitted to the API by the online service in question, as the online service checks with Messente’s API if the correct TOTP was entered before access is granted.
The independent calculation of the TOTP-s means that there is less transmission of data and thus less chance for anyone to intercept the code. This makes the system safer by simply limiting data delivery.
Users install the app to their iOS or Android device, create an account and verify it with an SMS PIN code. And here’s the magic: an online service that uses Messente’s API will automatically appear in a corresponding user’s Verigator app (assuming the user provides the same mobile number.)
Even better, a push notification is sent to users when they log in, so they don’t have to search for the account in the app. This makes it easier to use on a daily basis than an SMS based system. Push notifications tend to be a bit quicker in arriving than the SMS messages as well.
For the account implementation, no scanning of QR codes or any other steps to get users onboard with TOTP 2FA is needed. Brands and businesses can utilise a single API to tackle phone number verification, SMS 2FA, and TOTP 2FA. Encouraging users to use Verigator keeps the seamless simplicity of sending SMS PIN codes while being that much more secure. Making the user sign-in experience much less cumbersome while keeping the user safe. Thus, creating an optimal balance between a secure and a user-friendly system.
Verigator users can also use the 2FA app with any other online service that doesn’t use our API, as long as they have a QR code to scan. While it defeats the purpose of a seamless single API approach for SMS and TOTP, it allows users to minimise how many 2FA apps they install. So you can have all of the service commonly used, such as Facebook, Instagram, Gmail, etc. in one place without the fear of all of them being at risk of being breached at the same time.
So, if you’re already using SMS PIN codes to authenticate users every time they log in, have you thought about how to make it better?