SMS 2FA Authentication Services

What are my options for two-factor authentication (2FA)?
Which one should I choose?

Choosing what form of 2FA authentication your website or app needs can be difficult. There are four main types of 2FA and below is an overview of each to help you make an informed choice.


SMS

The simplest and most convenient form of two-factor authentication. Also has the option of receiving one-time password via phone call if end user only has access to a landline. While newer forms of 2FA are gaining popularity, even the biggest companies still default to SMS verification when resetting passwords (yes, Google, I’m talking about you!).


SMS verification is the ideal solution for verifying users during onboarding and login, verifying phone numbers during checkout, verifying users during low-value transactions.


Companies with a global user base should definitely consider using SMS for 2FA, especially if they have users in developing countries - remember that only ⅓ of the world’s population have a smartphone.

SMS verification has received some bad publicity over the past few years due to its vulnerability. We agree, SMS 2FA is not ideal for every situation. It’s most suitable for verification during onboarding and during low-value transactions (i.e. fintech, e-commerce), where high-levels of security aren’t as important. Check out the blog post we wrote on this topic.


Pros:

Straightforward and easy to use
No setup or app download required
Verified phone number tied to user
Cons:

Not as secure as other forms
User may not always have cell coverage
User not comfortable giving phone number

Authentication Apps

Authentication apps have become increasingly popular of the last few years. The underlying technology for this style of 2FA is called Time-Based One Time Password (TOTP). Authentication apps are a more secure form of two-factor authentication but requires you to download and set up an app, so it’s not suited to every use case.


Pros:

Does not require cell coverage, just an internet connection
OTP stored on the device itself - it can’t get intercepted or redirected
Cons:

Difficult to replace if phone gets stolen and you don’t have printed backup codes
Internal clocks can desync between device and service resulting in invalid codes

Physical Authentication Keys

The safest form of two-factor authentication that’s starting to become more popular. A physical authentication key is just a small USB key you put on your keychain. Big companies from the technology and financial sectors are creating a standard known as U2F. With this form of 2FA, whenever you want to log into your account from a new computer, you’ll have to insert the USB key and press a button on it.

Pros:

A true physical factor
Phishing-proof
Safest form of 2FA
Cons:

Not widely supported yet
Not all browsers support
Costs money to buy USB key

Push Notification

Receive a prompt to one of your devices during login. This prompt will indicate that someone (possibly you) is trying to verify. You can then approve or deny the attempt. Some offerings have an estimated location for the login attempt to increase security.

Push notifications have three main advantages over authentication apps:

  • Acknowledging the prompt is slightly more convenient than typing in a code
  • Somewhat more resistant to phishing.
  • Downloading an app is not always required.

Pros:

Some solutions don’t require app download
No input required from user
Allows for quicker login
Cons:

Requires an internet connection
Network-based - can be hacked

The most important thing to remember:
Any form of 2FA is better than no 2FA!

Each form of two-factor authentication has multiple 2FA authentication services. So regardless of what form you choose, look at a couple of different providers and make an informed decision.


If you’re considering SMS 2FA, we’d love to speak with you. There are many 2FA SMS service providers out there so it can be difficult to choose one. Thankfully, with RingCaptcha you don’t have to choose one. We’re connected with over ten different providers, both international and region-specific, to ensure your traffic has some of the highest deliverability rates in the industry.

Have questions? Feel free to write to us via our live chat (blue button on bottom right of your screen) or drop us a line - hello@ringcaptcha.com. Looking forward to hearing from you!