The Use of One-time Password/PIN (OTP) and two-factor authentication (2FA)

Phone verification involves sending a one-time PIN/password (OTP) to a phone number and requesting the user to recite the OTP to prove that she owns/possesses the phone. It serves as a form of two-factor authentication (2FA). However phone 2FA is unique because:

  • Besides authentication, it ensures you have a proven way to contact the user, which is critical to ensure timely communication
  • Phone 2FA is a form of identity universally accessible to people in different walks of life without requiring the user to download and operate other complex procedures

Both universal identity and timely communication are critical to build trustworthy communities, and offer great user experience respectively, which are the foundation of disruptive companies in sharing economy, collaborative consumption (marketplace), fintech (micro lending, cryptocurrency, financial inclusion).

The Misconception About Voice & SMS OTP Delivery Reliability

To implement phone verification, it is easy to make the mistake of assuming that a company can just integrate with any phone verification service or voice/SMS verification API and be done.

There are many other hidden pitfalls, one of which is assuming that the phone verification API can always deliver OTPs reliably. At RingCaptcha, we do not assume that as we are obsessed with reliable OTP deliverability which is why web build a reliability layer packed with features such as integrating with major global and regional phone verification APIs, e.g., Twilio, Infobip, Nexmo, MessageBird, etc., to provide multiple fallback routes, sending auto-followup OTP through alternative route & alternative medium (missed-call, SMS, voice), providing a dashboard for unconverted OTPs, etc. You can read more here. If you send your OTP through RingCaptcha’s phone verification API, you make a ‘true’ single API call, and all these happen behind the scene for you to ensure highly reliable OTP delivery.

RingCaptcha adds simplicity, security & reliablity to its voice/SMS verification APIs

Empirical Data On Importance of Multiple SMS OTP Routes, Alternative voice OTP, and auto-followup OTPs

To help you understand the importance of alternative OTP fallback routes and alternative OTP medium (voice OTP), we share  data from a recent incident.

We compare two periods:

  • The period of incident: 3 Dec 2018 – 9 Dec 2018 (inclusive)
  • The same period before the incident: 26 Nov 2018 – 2 Dec 2018 (inclusive).

We look for:

  • The number of OTP requests with ‘FAILED’ status to understand the severity of the incident
  • How RingCaptcha handles these ‘FAILED’ OTP requests transparently for our customers

The data we share is from our logs, and it contains various fields, which we will briefly describe below. We use the term ‘convert’ and ‘conversion’ to describe OTPs requested that are used.

  • provider_name: The provider we send OTP request through. RingCaptcha is integrated with major global and regional providers
  • operator_name: The operator of the phone number that requested OTP
  • service_id: ‘2’ indicates SMS OTP, ‘3’ indicates voice OTP
  • status: The report from provider about the OTP transmission
  • requested_20181126: OTPs requested in the period before incident
  • requested_20181203: OTPs requested in the period of incident
  • verified_20181126: OTPs converted in the period before incident
  • verified_20181203: OTPs converted in the period of incident
  • rate_20181126: ratio of verified vs. requested in the period before incident
  • rate_20181203: ratio of verified vs. requested in the period of incident
  • diff_requested: The difference in the OTP request count between the 2 periods
  • diff_verified: The difference in the OTP verified count between the 2 periods
  • diff_rate: The difference in the OTP conversion rate between the 2 periods

The number of OTP requests with ‘FAILED’ status indicates severity of the incident

Data on OTP delivery failures due to provider issues

On the highlighted line, the ‘diff_requested’ is hugely positive: 15959, which means there is an excessive increase in failures for requested OTPs sent to Mobily (‘operator_name’) phone numbers through Infobip (‘provider_name’) in the incident period, i.e., requested_20181203 compared to the period before, i.e.,  requested_20181126. The provider was suffering from some delivery issues.

For the record, all providers suffer from OTP delivery issues periodically due to a mix of technical difficulties, and traffic congestion. In this particular example, it is Infobip but Infobip is a very reliable provider otherwise, which emphasizes the importance of having multiple provider routes even more.

If you were not sending OTPs through RingCaptcha, the number of failures will make you panic, but with RingCaptcha, it merely means that RingCaptcha will send the OTP requests through an alternative path, and possibly alternative medium, e.g., voice instead of SMS.

How RingCaptcha handles these ‘FAILED’ OTP requests transparently for companies

Sending second OTP through alternative route and medium improves OTP delivery

On the highlighted line, you can see that there is a surge in second attempts, i.e., attempt ‘1’ (NOTE: attempt ‘0’ is first attempt); there is a sharp increase in 3 statistics – ‘SUCCESS’ OTP requests (‘diff_requested’): 6317, OTP verified (‘diff_verified’): 4282, also OTP conversion rate (‘diff_rate’): 0.19, i.e., 19%.

This is an indication that ‘troubled’ Mobily phone users are proactively requesting second OTPs, resulting in the high ‘diff_requested’ of 6317, which were transmitted over ‘voice’ (service_id ‘3’) through ‘Nexmo’ (provider_name), and they are successfully converting, indicated by the high ‘diff_verified’ of 4282. Without this alternative provider (‘Nexmo’) and alternative channel (‘voice’)  approximately 4282 users would not be able to receive OTPs to sign-up resulting in loss of potential users, or not be able to perform critical transactions that needed OTP resulting in loss of existing customers.

This shows the importance of sending follow-up OTP through fallback providers and medium to ensure that OTPs are delivered reliably when the main provider and medium fails. At RingCaptcha this happens transparently when you make a single call to send OTP using our API. No additional code needed!

You might also like these other posts...

provider-deliverablity-issues
DELIVERABILITY June 4, 2018 · 4 min read

True Story: How RingCaptcha’s True Single API Call Saves You From Service Disruption

What happens when your provider has deliverability issues with a carrier? Two weeks ago, Ufone Pakistan announced that they would… Continue Reading

Author
Donal Tobin
ScriptedRingCaptcha
NOTIFICATIONS January 31, 2018 · 4 min read

Case Study: How SMS Notifications Improved Scripted’s First-Time Customer Satisfaction by 49%

RingCaptcha’s SMS Gateway Improved Scripted’s First-Time Customer Satisfaction by 49%. How you ask? Listen up now… Company: Scripted Scope: International… Continue Reading

Author
anaisdelmonte
Featured Image
SECURITY July 18, 2017 · 8 min read

Why Passwords Are Our Greatest Security Risk

When you receive an urgent email from your CEO, you stop everything to address the request. He needs you to… Continue Reading

Author
Animalz Team

GET STARTED NOW

Over 1 million fake leads blocked by RingCaptcha and counting!

50 SMS Free Trial • No Credit Card Required