Reverse OTP: free authentication via SMS

Yes, you read that right, you can set up a free two-factor authentication solution. How do you do it? By using OTP (One Time Password) technology in reverse. With this technique, you generate the code yourself in your application for your customer to send to a dedicated virtual number. You are both the sender of the token and the recipient of the SMS. And by having your customer send the message you don't pay for the SMS. Still unclear? Follow the guide.

SMS OTP: how does it work?

SMS OTP is a message containing a short, unique code, usually between 6 and 8 digits, used to authenticate a user. The user enters the code into a web page or application to complete a login, registration or validation process.

On the platform or API side, the SMS OTP is routed in an ultra-priority way to ensure the timely delivery of the temporary code it contains (a lifetime of 1 minute on average). Applications, banks, platforms massively use SMS tokens in the context of two-factor authentication (2FA) to validate the creation of an account, a transaction or the reset of a password.

Often used by banks through 3D-secure, this method ensures that the author of the request is in possession of two distinct identification factors (a code that he knows and an object that he owns.

Reminder: what is the 2FA?

2FA, or two-factor authentication, is an additional layer of security used to verify a user's identity. After entering their user ID and password, the user is prompted to provide a second form of identification from a separate device, such as their smartphone. This second factor can be materialized by a token or a text message sent to the user's phone.

TO GO FURTHER...
The SMS channel is a particularly suitable solution for a 2FA implementation. Our "best practices" guide will guide you on how to implement a 2FA service.
I want to know more

High priority, an indispensable element of SMS OTP

The sending of an SMS OTP must be done through a dedicated channel of high priority, via short numbers dedicated to this type of SMS traffic. The sending allows the author of the transaction to receive the code quickly. The goal is to significantly increase data security without impacting the abandonment rate of these actions.

This process of sending SMS OTP also allows, upon registration, to retrieve a new validated data from the user: his phone number, which will be useful for the entire life of the customer relationship.

Monetary application drives disruptive model for free OTP SMS

A French fintech startup has taken a new approach to two-factor authentication. It has found a solution that allows it to invert its authentication system by placing itself as the receiver of OTP codes to suppress its text messages.

In practice, the startup rents a Mobile Virtual Number to receive SMS messages. Its users send themselves an in-app generated SMS, to validate a transaction. This OTP is generated by the customer directly in the application, to be sent to the Virtual Mobile Number (NVM). Upon receiving this SMS, the app matches the generated OTP with the user's phone number and validates the transaction.

The mechanics allow to avoid sending a MT (Mobile Terminated) SMS and to wait for a code sent by the customer on a NVM dedicated to the reception of MO (Mobile Originated) SMS. In short, instead of sending an OTP SMS to your customer, your customer sends an OTP SMS to a virtual phone number. No more OTP SMS sent by the application, but a very reliable number validation anyway. The only cost associated with this authentication device is the rental of a Mobile Virtual Number.

What is an NVM?

As its name suggests, a Mobile Virtual Number is not linked to a physical phone, it is a long number assigned to a B2B customer. This number is designed for the free and immediate reception of SMS from a cell phone (SMS MO). The number is hosted by a French MVNO (Mobile Virtual Network Operator), available 24/7 without malfunction.

The Mobile Virtual Number uses the technique known as "direct inward dialing" (DID), which makes it possible to reach the number without intermediaries. This "direct external one-way" number is ideal for companies that want to be contacted by SMS, to start conversations with their customers or to build up mailing lists of all kinds (alerts, transport line, contests, newsletters...). When an SMS is received, a notification is sent to a specific URL for processing by you.

How do I set up this free 2FA system in my application?

1 - Get an authentication API, a software token or an OTP generation library

There are many ways to implement 2FA authentication in an application. One popular method is to use a software token or application like Authy or Google Authenticator to have a secure way to store, generate and use your OTPs.

You can also equip yourself with a token library that will generate OTPs on demand, from which you will be able to draw for each operation to be validated.

2 - Renting an NVM smsmode^©

Set up a virtual number to receive the OTPs that will be sent by your customers. Set up HTTP GET requests to retrieve the OTPs and numbers to be matched.

3 - Create my template

To avoid churn, you need to make the authentication process as simple as possible for the user. A good way to do this is to generate an "in app" button that, when clicked, opens your users' default email application with your NVM number as the recipient and the OTP code to paste into the body of the text.

4 - Trigger authentication

The smsmode© virtual number allows you to set up the automatic triggering of actions, so that your 2FA solution is fully controlled. In practice, the operation consists of a verification between the two OTP codes that must match.

Make a call back on your application to check the concordance between the code received by your NVM and the one you generated for your user.

If the two OTP codes match and the number is the one expected, you just have to validate the authentication!