SMS OTP: a guide to sending SMS verification codes

There are times when an extra level of security is needed. Companies in the highly-regulated financial services sector, for instance, must use strong customer authentication when customers want to access their payment account, or complete a transaction. This is because passwords can be compromised, particularly if they are too simple and easy to guess. 

An estimated three-quarters of people globally are at risk of being hacked because they don’t follow recommended password practices.

It’s not just financial services firms that require extra security credentials. Email providers, social media companies and online retailers may also ask users to verify their identity when resetting account information, and/or give them the option to enable two-factor authentication (2FA – see below). 

One of the most common ways for users to verify their identity is with a one time password – or OTP. Users receive a code, normally by SMS or email, which they have to input before proceeding. As the name suggests, an OTP can only be used once and it expires within minutes. Because of this, you’ll sometimes see them referred to as TOTP, or a temporary one time password. 

OTPs aren’t limited to online activities either, they’re also widely used in sectors like banking where customers might manage their account by phone. 

An OTP reassures users that an organisation has taken steps to protect their personal data and money. It’s a way to help organisations meet their regulatory requirements, and protect themselves from the financial losses they’d incur if they have to reimburse customers who have had their credit cards used fraudulently, or are the victims of scam. 

In this article, we’ll look at where SMS verification codes are used and how you can set them up. 

2FA and MFA – what’s the difference?

You’ll often see OTPs used as part of two-factor authentication (2FA), or multi-factor authentication (MFA). This is when a user is asked to input extra information, in addition to their user-name and password. 

So, even if login details are compromised, the chance of an unauthorised user gaining access is reduced. Given that as many as 24 billion usernames and passwords are circulating on the dark web, OTPs are an important weapon in the fight against fraud. 

There are advantages to both 2FA and MFA. 2FA is fast and effective, allowing users to quickly complete an action without feeling frustrated and potentially abandoning it. 

MFA, on the other hand, involves at least two forms of verification based on information only known to the user, so it is more secure. However, because of the extra step, it does take more time, so organisations need to implement it in a way that still delivers a seamless experience. Typically, MFA involves the following: 

• Knowledge: something you know (e.g. password, mother’s maiden name)
• Possession: something you have (e.g. a OTP SMS)
• Unique characteristic: biometric (e.g. fingerprint)

The benefits of OTP by SMS

Often, customers can choose whether they receive an OTP by email or SMS. Both offer added security – but SMS has a number of benefits for both users and organisations. The biggest advantage is that text messages are clear and direct, and don’t get stuck in spam email filters or cluttered inboxes. 

OTP by SMS also means that those who don’t have access to the internet can still complete basic tasks quickly and securely by phone; in banking, this could include checking their balance, or paying a bill. 

As many as 2.7 million people in the UK are offline – with over one-in-10 saying they find the online world too complicated, and a further one-in-10 saying they don’t have access to an internet-enabled device. So, verification by text is a way for organisations to offer a convenient telephone service to people who are digitally excluded and potentially vulnerable, in a time-efficient way. 

The good thing about OTP by SMS is that it’s easy to implement via an SMS online platform or SMS API, making it part of a seamless customer journey. All you need is a customer’s current mobile number to get started. 

Automating OTPs

The reason OTPs are possible is because of SMS automation.

People can and do log into their accounts and make a purchase at any time of the day or night, so organisations need to be able trigger a temporary code whenever a legitimate customer needs to verify their identity. 

This is easy to achieve in the Esendex SMS platform, which uses a rule-based system to send an OTP, instantly and securely within your pre-defined conditions.

To learn more, read our guide to setting up automated SMS or explore our suite of business SMS products and services.