Reverse OTP: free authentication with SMS
Share :
Introduction
Data security is a concern for many customers. To satisfy this need for reliability and gain a competitive edge, many solutions implement two-factor authentication (2FA), often via a SMS OTP. But implementing 2FA is costly, and each message sent is billed. But there's a way to guarantee strong authentication without the OTP messages costing you a single penny. Find out how to set up a free SMS OTP in this article.
Yes, you read that right, you can set up a free two-factor authentication solution. How do you do it? By using OTP (One Time Password) technology in reverse. With this technique, you yourself generate the code in your application for your customer to send to a dedicated virtual number. You are both the sender of the token and the recipient of the SMS. And by having your customer send the message, you don't pay for the SMS. Still unclear? Follow the guide.
SMS OTP: how does it work?
SMS OTP is a message containing a short, unique code, generally between 6 and 8 digits long, used to authenticate a user. The user enters the code into a web page or application to complete a login, registration or validation process.
On the platform or API side, the SMS OTP is routed on an ultra-priority basis to ensure the timely delivery of the temporary code it contains (an average lifetime of 1 minute). Applications, banks and platforms make massive use of SMS tokens for two-factor authentication (2FA) authentication to validate the creation of an account, a transaction or a password reset.
Often used by banks through 3D-secure, this method ensures that the person making the request is in possession of two distinct identification factors (a code they know and an object they own).
Reminder: what is the 2FA?
2FA, or two-factor authentication, is an additional layer of security used to verify a user's identity. After entering their login and password, users are prompted to provide a second form of identification from a separate device, such as their smartphone. This second factor can be materialized by a token or a text message sent to the user's phone.
Our "Best practices" guide will help you implement a 2FA service.
High priority, an indispensable element of SMS OTP
SMS OTP must be sent via a dedicated, high-priority channel, using short numbers dedicated to this type of SMS traffic. Sending an OTP SMS enables the transaction's originator to receive the code quickly. The aim is to significantly increase data security without impacting the abandonment rate.
This process of sending SMS OTP also enables us to retrieve a new piece of validated data from the user at registration: their telephone number, which will be useful throughout the life of the customer relationship.
Monetary application leads to disruptive model for free SMS OTPs
A French fintech startup has adopted a new approach to two-factor authentication. It has found a solution that enables it to invert its authentication system by acting as a receiver of OTP codes, thus eliminating the need to send SMS.
In practice, the startup rents out a Mobile Virtual Number to receive SMS messages. Its users themselves send an in-app-generated SMS to validate a transaction. This OTP is generated by the customer directly in the app, to be sent to the Virtual Mobile Number (NVM). On receipt of this SMS, the app matches the generated OTP with the user's phone number and validates the transaction.
This mechanism avoids the need to send an SMS MT (Mobile Terminated) and wait for a code sent by the customer on an NVM dedicated to receiving SMS MO (Mobile Originated). In short, instead of sending an OTP SMS to your customer, your customer sends an OTP SMS to a virtual phone number. No more OTP SMS sent by the application, but a very reliable number validation nonetheless. The only cost associated with this authentication system is the rental of a Mobile Virtual Number.
*In France, the Mobile Virtual Number has been replaced by the Time2Chat.
What is an NVM?
As its name suggests, a Mobile Virtual Number is not linked to a physical telephone, but is a long number assigned to a B2B customer. This number is designed for the free and immediate reception of SMS from a cell phoneSMS MO). The number is hosted by a French MVNO (mobile virtual network operator), and is available 24/7 without malfunction.
The Mobile Virtual Number uses a technique known as "direct inward dialing" (DID), which enables the number to be reached without an intermediary. This "one-way external direct" number is ideal for companies wishing to be contacted by SMS, to engage in conversations with their customers, or to set up mailing lists of all kinds (alerts, transport lines, competitions, newsletters, etc.). Upon receipt of a SMS request, a notification is sent to a specified URL for processing by you.
Find out how to receive SMS ( SMS opt-in, requests for information and inquiries, registration for a service, newsletter or game, customer data collection, etc.) and meet the needs of a wide range of applications.
How do I set up this free 2FA system in my application?
1. Set up an authentication API, software token or OTP generation library
There are many ways to implement 2FA authentication in an application. One popular method is to use a software token or an application such as Authy or Google Authenticator to provide a secure means of storing, generating and using your OTPs.
You can also set up a token library that generates OTPs on demand, from which you can draw for each operation to be validated.
2. Rent an NVM smsmode©
Set up a virtual number to receive the OTPs sent by your customers. Set up HTTP GET requests to retrieve the OTPs and numbers to be matched.
3. Create my model
To avoid churn, you need to make the authentication process as simple as possible for the user. A good way of doing this is to generate an "in app" button which, when clicked, opens your users' default messaging application, with your NVM number as the recipient and the OTP code to paste into the body of the text.
4. Trigger authentication
The smsmode virtual number© allows you to set up automatic triggering of actions, so that your 2FA solution is fully controlled. In practice, the operation consists of check between the two OTP codes, which must match.
Run a callback on your application to check that the code received by your NVM matches the one you generated for your user.
If the two OTP codes match and the number is the one expected, you just have to validate the authentication!
2FA Free: pros and cons
This free authentication technique for applications, which could be called "Reverse OTP", has advantages and disadvantages:
- More
- Once installed, every shipment is free! The only cost is NVM rental
- A solution just as scalable as the classic OTP.
- Less churn! As with the classic OTP, you leave the application, but the pre-filling of SMS makes the operation much smoother, when it is sometimes complicated to memorize the code received by SMS.
- Minus
- A slightly greater development requirement at start-up than a conventional SMS OTP service.
- An innovative approach that can confuse users. It's up to you to make sure the presentation is professional and the use smooth.
- A deployment that can only be done on a mobile application
- Once installed, every shipment is free! The only cost is NVM rental
- A solution just as scalable as the classic OTP.
- Less churn! As with the classic OTP, you leave the application, but the pre-filling of SMS makes the operation much smoother, when it is sometimes complicated to memorize the code received by SMS.
- A slightly greater development requirement at start-up than a conventional SMS OTP service.
- An innovative approach that can confuse users. It's up to you to make sure the presentation is professional and the use smooth.
- A deployment that can only be done on a mobile application
Try out our SMS platform and benefit from 20 free test credits, with no obligation.