The simplest and most convenient form of two-factor authentication. Also has the option of receiving a one-time password via phone call if the end user only has access to a landline. While newer forms of 2FA are gaining popularity, even the biggest companies still default to SMS verification when resetting passwords (yes, Google, I’m talking about you!).

SMS verification is the ideal solution for verifying users during onboarding and login, verifying phone numbers during checkout, and verifying users during low-value transactions.

Companies with a global user base should definitely consider using SMS for 2FA, especially if they have users in developing countries—remember that only ⅓ of the world’s population have a smartphone.
SMS verification has received some bad publicity over the past few years due to its vulnerability. We agree, SMS 2FA is not ideal for every situation. It’s most suitable for verification during onboarding and during low-value transactions (i.e. fintech, e-commerce), where high-levels of security aren’t as important. Check out the blog post we wrote on this topic.


Straightforward and easy to use

No setup or app download required

Verified phone number tied to user


Not as secure as other forms

User may not always have cell coverage

User not comfortable giving phone number


Authentication Apps

Authentication apps have become increasingly popular in the last few years. The underlying technology for this style of 2FA is called Time-Based One Time Password (TOTP). Authentication apps are a more secure form of two-factor authentication but require you to download and set up an app, so it’s not suited to every use case.


Does not require cell coverage, just an internet connection

OTP stored on the device itself - it can’t get intercepted or redirected


Difficult to replace if phone gets stolen and you don’t have printed backup codes

Internal clocks can desync between device and service resulting in invalid codes


Physical Authentication Keys

The safest form of two-factor authentication that’s starting to become more popular. A physical authentication key is just a small USB key you put on your keychain. Big companies from the technology and financial sectors are creating a standard known as U2F. With this form of 2FA, whenever you want to log into your account from a new computer, you’ll have to insert the USB key and press a button on it.


A true physical factor



Not widely supported yet

Not all browsers support


Push Notification

Receive a prompt to one of your devices during login. This prompt will indicate that someone (possibly you) is trying to verify. You can then approve or deny the attempt. Some offerings have an estimated location for the login attempt to increase security.

Push notifications have three main advantages over authentication apps:

  • Acknowledging the prompt is slightly more convenient than typing in a code.
  • Somewhat more resistant to phishing.
  • Downloading an app is not always required.


Some solutions don’t require app download

No input required from user

Allows for quicker login


Requires an internet connection

Network-based — can be hacked

The most important thing to remember:
Any form of 2FA is better than no 2FA!

Each form of two-factor authentication has multiple 2FA authentication services. So regardless of what form you choose, look at a couple of different providers and make an informed decision.

If you’re considering SMS 2FA, we’d love to speak with you. There are many 2FA SMS service providers out there, so it can be difficult to choose one. Thankfully, with RingCaptcha, you don’t have to choose one. We’re connected with over ten different providers, both international and region-specific, to ensure your traffic has some of the highest deliverability rates in the industry.

Have questions? Feel free to write to us via our live chat (blue button on bottom right of your screen) or drop us a line — Looking forward to hearing from you!


Over 1 million fake leads blocked by RingCaptcha and counting!

50 SMS Free Trial • No Credit Card Required