Reverse OTP: free authentication with SMS

Yes, you read that right, you can set up a free two-factor authentication solution. How do you do it? By using OTP (One Time Password) technology in reverse. With this technique, you yourself generate the code in your application for your customer to send to a dedicated virtual number. You are both the sender of the token and the recipient of the SMS message. And by having your customer send the message, you don't have to pay SMS. Still unclear? Follow the guide.

SMS OTP: how does it work?

The SMS OTP is a message containing a short, unique code, generally between 6 and 8 digits long, used to authenticate a user. The user enters the code into a web page or application to complete a login, registration or validation process.

On the platform or API side, the SMS OTP is routed with ultra-priority to ensure timely delivery of the temporary code it contains (an average lifetime of 1 minute). Applications, banks and platforms make massive use of SMS tokens for two-factor authentication (2FA) authentication to validate account creation, transactions or password resets.

Often used by banks through 3D-secure, this method ensures that the author of the request is in possession of two distinct identification factors (a code that he knows and an object that he owns.

Reminder: what is the 2FA?

2FA, or two-factor authentication, is an additional layer of security used to verify a user's identity. After entering their user ID and password, the user is prompted to provide a second form of identification from a separate device, such as their smartphone. This second factor can be materialized by a token or a text message sent to the user's phone.

TO GO FURTHER...
The SMS channel is a particularly suitable solution for setting up a 2FA. Our "best practices" guide will show you how to implement a 2FA service.
Find out more

High priority, an indispensable element of SMS OTP

The SMS OTP must be sent over a dedicated, high-priority channel, via short numbers dedicated to this type of traffic SMS. Sending the code enables the originator of the transaction to receive it quickly. The aim is to significantly increase data security without impacting the abandonment rate.

This process of sending SMS OTP also enables us to retrieve a new piece of validated data from the user at registration: their telephone number, which will be useful throughout the life of the customer relationship.

Monetary application leads to disruptive model for free SMS OTPs

A French fintech startup has adopted a new approach to two-factor authentication. It has found a solution that enables it to invert its authentication system by acting as a receiver of OTP codes, thus eliminating the need to send SMS.

In practice, the startup rents out a Mobile Virtual Number to receive SMS. Its users themselves send a SMS generated in-app, to validate a transaction. This OTP is generated by the customer directly in the app, to be sent to the Virtual Mobile Number (NVM). As soon as SMS is received, the app matches the generated OTP with the user's phone number and validates the transaction.

This avoids sending a SMS MT (Mobile Terminated) and waiting for a code sent by the customer on an NVM dedicated to receiving SMS MO (Mobile Originated). In short, instead of sending a SMS OTP to your customer, your customer sends a SMS OTP to a virtual phone number. No more SMS OTP sent by the application, but a very reliable number validation nonetheless. The only cost associated with this authentication system is the rental of a Mobile Virtual Number.

What is an NVM?

As its name suggests, a Mobile Virtual Number is not linked to a physical telephone, but is a long number assigned to a B2B customer. This number is designed for the free and immediate reception of SMS from a cell phone (SMS MO). The number is hosted by a French MVNO (mobile virtual network operator), and is available 24/7 without malfunction.

The Mobile Virtual Number uses a technique known as "direct inward dialing" (DID), which enables the number to be reached without an intermediary. This "one-way external direct" number is ideal for companies wishing to be contacted by SMS, to engage in conversations with their customers, or to set up mailing lists of all kinds (alerts, transport lines, competitions, newsletters, etc.). Upon receipt of a SMS request, a notification is sent to a specified URL for processing by you.

How do I set up this free 2FA system in my application?

1 - Get an authentication API, a software token or an OTP generation library

There are many ways to implement 2FA authentication in an application. One popular method is to use a software token or application like Authy or Google Authenticator to have a secure way to store, generate and use your OTPs.

You can also equip yourself with a token library that will generate OTPs on demand, from which you will be able to draw for each operation to be validated.

2 - Renting an NVM smsmode^©

Set up a virtual number to receive the OTPs that will be sent by your customers. Set up HTTP GET requests to retrieve the OTPs and numbers to be matched.

3 - Create my template

To avoid churn, you need to make the authentication process as simple as possible for the user. A good way to do this is to generate an "in app" button that, when clicked, opens your users' default email application with your NVM number as the recipient and the OTP code to paste into the body of the text.

4 - Trigger authentication

The smsmode© virtual number allows you to set up the automatic triggering of actions, so that your 2FA solution is fully controlled. In practice, the operation consists of a verification between the two OTP codes that must match.

Make a call back on your application to check the concordance between the code received by your NVM and the one you generated for your user.

If the two OTP codes match and the number is the one expected, you just have to validate the authentication!