Hey everyone,
We're currently reviewing our One-Time Password (OTP) and two-factor authentication (2FA) setup and I'm interested in hearing what systems others are using in production. We're facing some key challenges such as inconsistent SMS delivery in the MENA region and parts of Asia, occasional spikes in latency during peak traffic periods, and the need to balance cost versus reliability across various regions.
We've tested several major providers but found that performance often varies greatly depending on geography and carrier routing. For those of you running OTP at scale, which providers have you found to be the most reliable? I'm looking for genuine experiences rather than marketing pitches. Thanks in advance!
6 Answers
We've transitioned to using Passkeys; they are much more convenient! No codes to enter, and you can authenticate using your device's biometrics. Plus, SMS can be spoofed, and it’s no longer considered a secure option.
I've noticed a lot more people using WhatsApp Business for sending 2FA codes. I'm not sure about the costs, but I find it much more reliable for users in the EMEA and LATAM regions.
I'm not a fan of using SMS for 2FA; I really try to avoid it when I can. It's been considered outdated for a while now, and successful attacks on SMS are pretty common. Using TOTP is a big upgrade, though it does put more pressure on users to have the right apps and devices. It's definitely more secure!
That's true, SMS is weaker than TOTP from a security standpoint. However, SMS is still the go-to for many people just because it's user-friendly. Most users already have a phone number, so there's no need for an app installation or dealing with backup codes. That high enrollment makes it a practical choice in many situations.
Honestly, SMS really isn't great for 2FA. I steer clear of it whenever possible. For single sign-on (SSO), we prefer using authenticator apps like Microsoft Authenticator, but I personally stick with Google Authenticator. For our jump-hosts, we even use hardware tokens.
If you're looking for a solid example, Reddit uses TOTP for their 2FA. That's definitely a scale worth considering!
I don't directly deal with SMS OTPs in my work, but I found an interesting open-source repository called OTPGateway by Zerodha that you might want to check out. It’s worth considering alternative methods like delivering SMS via WhatsApp as well.
Passkeys are definitely the way to go!