How to combine SMS, Email and Voice for multi-factor authentication (MFA)

Verification requires more than a password

When it comes to authentication, passwords alone aren’t enough to keep your business and customers secure.

Industry standards and regulations today require your business to establish security mechanisms that protect user data and accounts.

80% of known data breaches are due to weak, reused or stolen credentials (Last Pass)

You’ve adopted an SMS authentication process — the most common, easiest and quickest verification method to implement and distribute to users worldwide. 

For end-users, SMS authentications provide quick, seamless experiences to verify their account. Customers and employees alike have grown accustomed to using SMS authentications across the customer journey to:

  • create an account 
  • log in
  • complete transactions
  • make changes to their account

While SMS-based authentication can block 100% of automated bots, 96% of bulk phishing attacks and 76% of targeted attacks (Google), multi-factor (multi-channel) authentication will strengthen the security across the customer journey to improve conversion rates, prevent fraud and protect your users.

Take your verifications to the next level with multi-factor authentication (MFA). 

Enable a strong multi-factor authentication (MFA) with SMS, Email and Voice to add a layer of protection

The data is clear — having multiple channels to authenticate the same user’s identity strengthens security for both the end-user and your business.

99% of breaches can be blocked with multi-factor authentication (Microsoft)

Using two-factor authentication (2FA) channels together to implement MFA enables you to protect user data and accounts, helping prevent malicious attempts before they can even start.  

Understanding how and when to use SMS, Email or Voice as your preferred authentication channel establishes a more secure verification process without increasing the friction of the customer experience. 

How to use multi-factor authentication to verify your customers

There are multiple elements that must be considered when selecting a channel for MFA: use case, user preferences, reasons for verification and pricing. 

Use case

Things to consider: 

  • What moment of the user journey do you need to verify the identity of your users? Is that transaction critical? 
  • Is it time sensitive? 
  • Does your user have more time to perform that specific transaction for example like in contact updates? 
  • Can it be done from any device? 

Best practices: 

Look for variation across the user journey. Users prefer SMS for mobile applications. Email is normally more user-friendly for web applications or when users don’t have their phone nearby. We suggest testing the following combinations: 

        Account creation and verification: SMS and Email

        Logins: SMS, Voice and Email

        Transactions: SMS and Voice

        Contact updates: Email

User preferences

Things to consider: 

  • What is your customer’s preferred way of authentication on your platform? 
  • Which channel has the highest conversion rate? 
  • Does the conversion rate change at different points in the customer journey? 

Best practices: 

Our data says SMS is still the preferred way to receive OTP codes. However, the proper way to understand what the preferred way of authentication is for each customer is to analyze your performance reporting and logs.

Reason(s) for verification

Things to consider: 

  • Are you trying to comply with certain standards or regulations? 
  • Are you trying to protect users' data? 
  • Are you trying to prevent fraud and get a more robust secure solution? 

Best practices: 

Most likely all of them, but identifying these reasons will allow you to define the MFA strategy that best fits your needs. For example, SMS remains secure and compliant in most places but if SIM swapping is common in your destinations, email should be considered.

Price 

Things to consider: 

  • Sending OTPs are priced per transaction and it varies depending on the destination — some countries are more expensive than others.

Best practices: 

Explore the pricing in each destination you are sending. The right provider will help you understand the best price per channel, destination and use case. Plus, it will allow you to only pay for successful authentications to ensure you get the best ROI.

The key is to leverage Email and Voice to improve SMS and vice versa for your authentication process. 

Combining these channels will establish a more complete authentication solution for your business:

  • Improved conversion rates
  • More breaches blocked
  • More real user verified


Verify API with MessageBird means MFA optimized for security, speed and cost

Supporting your MFA authentication is easy with MessageBird's Verify API

MessageBird’s multi-factor authentication platform connects you to enterprise-grade security, compliant worldwide. 

MessageBird is 27001:2013 certified, GDPR and PSD2 compliant. Plus, all data is encrypted at REST and in transit — with direct, encrypted end-to-end SMS connections.

On top of its security, MessageBird’s SMS platform gives you best-in-class deliverability. Whether you’re sending hundreds or millions of codes, our infrastructure has 250+ direct-to-carrier connections to ensure your SMS is delivered fast and reliably around the world. 

MessageBird’s Email platform powered by SparkPost also connects you to industry-leading security and deliverability trusted to optimally deliver 40% of all commercial emails — that always uses DKIM, SPF and DMARC protocols.

For Voice, MessageBird’s direct access to over 250 global telcos means your authentication messages are optimized for security and speed. 

Use our Numbers API to programmatically buy and use local numbers in 140 countries — to easily deploy cost-effective verification where needed.



MessageBird’s Verify API paired with our powerful global infrastructure and dedicated MFA support means you can continually optimize your authentication process.

Ready to prevent fraud and protect your users with Verify API?