November 07, 2018
Review of two-factor authentication solutions for business
Okay, you’ve finally decided to add 2FA to verify your clients. Great!
“So, where do I start? How to add verification? Which one is better? And which one is cheaper?”
All of the options before you may seem overwhelming so let us help you out. In this article, we quickly cover some of the two-factor authentication solutions for business. We hope it will help you understand what their pros and cons are, and finally choose the one that meets your needs and goals.
SMS is a classic 2FA solution marketed by many CPaaS providers. Thanks to big companies like Google and Facebook aggressively promoting it as an essential part of their services, most people have now become accustomed to it, so it causes no friction at all. This channel also has good delivery and open rates, ensuring a high percentage of successful verifications. Furthermore, if the message is short enough with OTP demonstrated in the body of the notification, the user does not even have to switch apps to view the code. The negative side to SMS verification is that it can be expensive in some countries with high rates for SMS. Also, it is impossible to deliver messages to landline phones.
Sending one-time password via voice is another alternative to verifying users. It is usually repeated several times, so the recipient has no chance to mishear or forget it. It is cheaper than SMS as you are charged not for minutes, but for seconds. Another advantage is that you can send OTPs to landline phones. This method is also a good choice to send codes to visually impaired customers. The weak point of voice-based authentication is that some people are very sensitive about their privacy and do not answer calls from unfamiliar numbers. Also, it is not as cheap as possible because…
…there is Flash Call verification. Yes, it is cheaper than both SMS and voice. The secret of its low price is in the way it works – a client’s phone gets a call that is automatically rejected. No call answered – no money paid. Then the client simply takes the last 4 (or 6) digits of the incoming number and uses them as a password. Android applications are able to even go one step further – intercepting the call and entering the one-time code automatically.
Another available tool is Number Lookup. It is not technically 2FA, but it’s a good tool to validate clients. Simply put, it is a database with information on phone numbers. It provides insights such as number type (mobile or landline), country code, status (online/offline), whether the number is virtual/premium/toll-free, whether it was used for fraud or spam and many more. With this tool, companies can better optimize OTP delivery methods, reduce costs, block virtual or premium numbers and get rid of fake users and fraudsters. However, it is a passive way of authentication as customers cannot confirm their identities themselves. If there is no additional verification with a one-time code, nothing stops a scammer from providing a number of a regular person. This, it would be wise to support Lookup by real 2FA.
Push notification may also serve a good option to verify clients. It is cheap and unlike SMS and voice, it does not use classic telecommunication channels. The downside of that is they are suitable only for app-focused services. For example, if you just want to set up two-factor user authentication for your website but don’t have a mobile application, you would not be able to use this method. Additionally, if a person loses his device, they will have trouble restoring access to the app; whereas with classic options like SMS, they can just go to the nearest operator’s office, block an old SIM card and get a new one with the same number. Also, push notifications use internet, so if a smartphone is out of data, it will never receive a one-time password. Finally, if one accidentally swipes the message, they won’t be able to restore it. Thus, generally, pushes are not as reliable as other more conventional authentication options.
In summary, though all verification solutions are useful in their own ways, none are 100% perfect. Yet, that should not discourage you from using them as they still perform great when it comes to security and cost optimization. To ensure the maximum efficiency, the best approach would be to use several authentication options, so that in case the first method fails, there is always a backup one.
Get back