Choosing the right channels for your application can help increase 2FA adoption and keep your customers secure. Twilio's Verify API supports several independent channels for verification and authentication:
SMS with RCS upgrade
WhatsApp
Voice
Silent Network Auth
Automatic Channel Selection
Email
Passkeys
Push
Silent Device Approval
Time-based one-time passwords (TOTP)
Each channel has various pros and cons, covered below. Many companies offer an assortment of channels to their customers so that customers can choose their preferred channel.
The WhatsApp channel has many of the same usability benefits of SMS with the added bonus of being the most popular messaging service in over 100 countries. Adding WhatsApp for one-time passcode (OTP) delivery can boost your overall verification conversion rate because it works with just a Wi-Fi connection.
As a software channel, WhatsApp won't charge for undelivered messages and isn't exposed to fraud that exploits the telecom network. Verify auto-creates authentication message templates in multiple languages that you can use with your own brand and provide end users with a copy code button to enhance their experience.
Voice is Twilio's primary backup to SMS for non-smartphone authentication. WhileSMS delivery rates vary over the globe, Voice is prioritized on carrier networks and gives the greatest reliability. To ensure there is a live user at the other end of the call and not a voicemail that can be intercepted, the Verify API will challenge a user with a random keypad digit before reading them the token.
Silent Network Auth (SNA) is a secure verification channel that verifies user possession of a mobile number without explicit user intervention by using its built-in connectivity to the mobile network operator (carrier). In the background, Twilio verifies the phone number by confirming directly from the carrier that the number corresponds to the SIM card located in the device requesting the authentication. This all happens without one-time password prompts or visible redirects for the end-user.
Verify Automatic Channel Selection is currently in the Pilot maturity stage, please contact sales to request access to this feature.
Automatic Channel Selection is a verification channel that attempts to verify with Silent Network Auth (SNA) and uses SMS as a fallback if needed.
SNA is a very secure authentication channel that uses direct carrier connections to verify the possession of a phone number without requiring user input. However, SNA cannot be used in some cases due to carrier or network restrictions. Automatic Channel Selection works by proactively checking if an end user's IP address can support using SNA. If it doesn't, or if other restrictions or errors in the SNA process exist, the SMS channel is used as a back up.
One time passcodes (OTP) sent to email can help protect your users if their password is brute-forced or phished. Like SMS, it doesn't require downloading another app so onboarding will be quick and seamless.
The problem with email as a 2FA delivery channel is that the most common first factor, a password, can usually be reset via an email. That means that an attacker only has to compromise one factor, your email inbox, to take over your account. This can happen if they know your email account password or if they have access to a live session (e.g. if you leave your email logged into a shared computer). Learn more about email 2FA tradeoffs.
Passkeys, also known as FIDO/WebAuthn, is an industry-standard authentication method that is more seamless and secure than passwords. Many consumer apps are adding support for Passkeys, including Google making Passkeys its default sign-in option.