Introduction

Routee Multi-Factor Authentication (MFA) is a service designed to verify transactions using a phone number and/or email address.

This MFA service confirms the ownership of phone numbers and emails for various purposes, including new account creation, user registrations, log-ins, secure information access, banking transactions, and updates to passwords, phone numbers, and email addresses. It supports the delivery of one-time passwords through SMS, Voice, Viber, FlashCall, and Email channels.


Verification Channels

Selecting the appropriate channels for your application can significantly enhance the adoption of two-factor authentication (2FA) and ensure the security of your customers. Routee MFA API provides support for multiple standalone channels for verification and authentication:

  • SMS
  • Voice
  • Viber
  • Email
  • Push

Each channel offers distinct advantages and drawbacks, outlined below. Many organizations offer a variety of channels to their users, allowing them to opt for their preferred method of verification.


SMS

SMS stands out as the most widely used channel for two-factor authentication (2FA). Its popularity stems from its broad accessibility, as most individuals can receive text messages, and its seamless onboarding process. Moreover, SMS 2FA has demonstrated effectiveness: Google's research revealed that SMS 2FA successfully thwarted "100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks."

While SMS remains prevalent, it's important to acknowledge its documented security vulnerabilities. Consequently, it may not be the optimal choice for high-profile end users such as elected officials or celebrities. Therefore, we recommend offering a range of 2FA options to cater to diverse security needs. Additionally, since SMS relies on telephony infrastructure, its deliverability and per-verification cost vary based on the messaging infrastructure in different countries of operation. In countries like the US and UK, where costs are low and deliverability is high, this may not pose a concern. However, software-based solutions like TOTP and Push can help mitigate these issues.

Voice

Voice serves as Routee's MFA main backup for non-smartphone authentication when SMS is not reliable. Unlike SMS, whose delivery rates can fluctuate globally, Voice is given priority on carrier networks, ensuring higher reliability. To confirm that a live user, not a potentially intercepted voicemail, receives the call, the Verify API prompts the user to enter a random keypad digit before delivering the token.

Voice also offers localization in dozens of languages.

Email

One-time passcodes (OTP) sent via email can safeguard your users in case their passwords are brute-forced or phished. Similar to SMS, email-based OTPs don't require downloading an additional app, making the onboarding process quick and seamless.

However, email as a two-factor authentication (2FA) channel has a significant drawback: the most common first factor, a password, is often reset through email. This means an attacker only needs to compromise your email inbox to gain account access. This can occur if the attacker knows your email password or has access to a live session (e.g., if you leave your email logged in on a shared computer). Learn more about the tradeoffs of using email for 2FA.

Push

Push authentication strikes the perfect balance between user convenience and security. This method involves sending a 'push notification' or message to a device, alerting the user that authentication is being requested for a login or action. It is the only authentication channel that allows users to explicitly deny an authentication request, helping businesses detect and respond to fraudulent activity. Push authentication is also one of the fastest methods and offers superior security compared to SMS, blocking "100% of automated bots, 99% of bulk phishing attacks, and 90% of targeted attacks," according to Google's research.

Push authentication leverages public key cryptography, ensuring that each authentication request is device-specific and resistant to phishing. The process operates through a separate notification channel that opens the approval dialog, eliminating the need for users to manually open an app and navigate to your site.

This method is ideal for companies with a substantial mobile app user base, as it allows for seamless integration of the authentication workflow within the app. However, it does require additional development work and necessitates that users have the application installed.

Viber

The Viber channel offers many of the same usability benefits as SMS, with the added advantage of being the most popular messaging service in over 100 countries. Incorporating Viber for one-time passcode (OTP) delivery can improve your verification conversion rate since it operates with just a Wi-Fi connection.

As a software-based channel, Viber does not charge for undelivered messages and is not vulnerable to fraud that targets the telecom network. The Verify API automatically generates authentication message templates in multiple languages, which you can customize with your own branding. Additionally, it provides a copy code button to enhance the user experience.