What is 2FA and how to use it to create an effective and cost-optimized authentication solution

What is 2FA?

Two-factor authentication (2FA) is a security process where a user must provide two authentication factors to prove their identity before accessing their account or making a transaction.

You don’t always realize it, but every time you complete simple actions like entering your PIN when using your debit card or showing your ID at the bank, you’re using a form of two-factor authentication.

For online transactions, multi-factor authentication usually includes a one-time pin code sent to person’s mobile device via SMS, WhatsApp, email or another channel.

It is an easy way for your customers to securely access their account information and ensure that their online transactions are secure and safe from the many tactics that fraudsters use including smishing, phishing, and SIM swapping.

In this article, we’ll take you through everything you need to know about 2FA and how to introduce it into your security processes to protect your customers and provide a secure experience that can differentiate you from competitors.

What are examples of authentication factors?

Authentication factors are pieces of information you need to gain access to an account or make a transaction.

The first authentication factor required is simple – your username and password. However, on their own these do not provide sufficient security as they can often be guessed or stolen when hackers access an organization’s database that stores this information.

This is where multi-factor authentication becomes crucial. Before you can complete your login or purchase, 2FA requires a second factor to validate your identity.

There are three main types of authentication factors:

  • What you know: a password, a PIN, or an answer to a security question. 
  • What you have: something physically in your possession like a phone, credit card, or fob. 
  • What you are: a biometric such as a fingerprint, your voice, or a retina or face scan. 

The most secure authentication solutions make use of multiple factors to suit each use case, and where OTPs are used – these can be sent on the best channel to ensure reliable deliverability and optimized costs for the organization.

Why passwords are not enough anymore

It’s no secret that remembering multiple passwords can be frustrating. Many people get around this by using the same password for multiple accounts – even those with less stringent security. This is a bad idea.

According to Verizon, in 2021, 82% of data breaches were due to poor password security that makes it easier for hackers to guess and access your data and information.


of data breaches are due to poor password security

Here are some common mistakes people make when creating a password:

  1. Using any personal information that can be easily discovered – children’s or pet’s names, mothers maiden name and name of schools and colleges that can be researched r learned using social engineering tactics.
  2. Changing only one digit or character in an old password
  3. Reusing old passwords
  4. Replacing a letter with a similar looking number (ex. ‘@’ for ‘a’)
  5. Using a single word instead of a random phrase or sentence
  6. Using a short password < 8 characters

Organizations can mitigate the risk by requiring customers to use longer and more complex passwords that are changed regularly. This will obviously have an impact on the customer experience by adding friction and annoyance, so this is why an optimized 2FA solution becomes critical.

How does two factor authentication work?

The most common use of 2FA is when a customer logs in using a password and then is sent a one-time pin (OTP) code to confirm their identity.

The customer should be able to choose the channel that they receive the code on, and a one-off verification code is generated then sent via that method.

A hacker would need to know your login/password AND have access to your phone in order to breach your account security.

To add even more layers of security then biometric checks can also be used, for example fingerprint, retina or face scans. Many modern smart phones already include biometric capability, which can be used by the authentication solution.

To read more on the technology behind two-factor authentication, see our 2FA process overview here.

Why is 2FA important?

Your customers’ security should be one of your highest priorities. If they become a victim of identify theft or a scam it could be completely life-changing for them.

According to Verizon80% of cyber breaches could be prevented by 2FA. This could be something as simple as a transaction requiring an OTP to complete.  

Recently Google also reported that 100% of automated bots, 99% of phishing attacks, and 66% of targeted attacks were blocked by two-factor authentication.

2FA provides an extra layer of security and makes it harder for attackers to access their accounts. Simply adding a layer of 2FA to logins and transaction processes can alleviate risk.

However, businesses should ensure that 2FA is used in the most effective and efficient way possible to ensure that customers do not get inconvenienced and associate increased security with increased hassle. This is where a flexible omnichannel authentication solution becomes crucial.

How effective is two factor authentication?


of automated bots blocked


of phishing attacks stopped


of targeted attacks prevented

Types of multifactor authentication

One-time pin codes (OTPs)

With almost 100% mobile phone ownership in most major markets, PIN codes sent to a mobile device are the most important form of 2FA.

However, it is crucial that thought is given to the best channel for sending the PIN, depending on the individual use case and the preferences of each customer. For example, some people may live or work in places with unreliable mobile or data signal – so the ability to configure a failover channel is key to ensure that codes are delivered securely and before they expire where time-based one-time PINs (TOTPs) are used.

Popular channels for sending 2FA messages include:

  • SMS 
  • RCS
  • Voice 
  • In-app push notifications 
  • Chat apps like WhatsApp, Viber, Zalo, KakaoTalk and others
  • Email 

An effective authentication solution should be able to automatically select the best primary and failover channel and trigger delivery of the OTP on the second channel when the first is not successful. This ensures that PIN codes are always delivered.

This reduces the overall overhead for the organization by ensuring that human intervention is only required when necessary.

Additional Components of 2FA

Other components of 2FA security include number look up and process tracking.

Number lookup is a great way to reduce costs and ensure a customer receives their PIN. By checking the status of a person’s phone number, you can ensure your customers receive their PIN on the channel that best suits them.

For OTT businesses, if a customer enters the wrong phone number, they can never get the SMS with the PIN number necessary to complete the installation. They could lose an excellent way to stay in touch with their friends, while the app makers lose a potential user. Having in mind the intense competition in the messaging space, this is likely to be the last thing app makers want.

By offering detailed insight into mobile networks to check numbers for validity, number lookup is extremely beneficial to OTT providers. It can provide insight on if a number is nonexistent, unused or landline phone and offers customers the chance to re-enter their phone number if it is incorrect.

Process tracking can measure how many PINS are sent versus how many are used. Measuring this conversion rate allows you to understand how your customers are using your 2FA service and how convenient it is for them. This additional insight can help you optimize your 2FA service, making it easier to use.

What are the benefits of 2FA?

1. Seamless Authentication

The goal of 2FA is to secure personal information while still providing a smooth user experience. Through push notifications, there’s no need to enter a PIN to confirm the authentication, a simple click is all that’s required.

An omnichannel 2FA is created by allowing customers to choose the method that best suits them, putting UX and security first.

2. Stronger security

It’s not easy for a hacker to bypass 2FA, making it an effective security tool against fraud. Potential threats would have to know lots of information to gain access and duplicate information, not just one password.

Turning on two-factor authentication is an easy way to stay protected. Even the simplest form of 2FA puts a practically impenetrable wall between hackers and your customers’ personal information.

Taking these steps to protect your customers’ accounts will offer them the highest level of security and the best UX, creating happy and secure customers all around.

3. Increased productivity and flexibility

Companies that embrace new technology are likely to experience better productivity and flexibility. Customers can sign up for services faster and more securely than before.

In businesses, 2FA is used so employees can securely access corporate applications, data, documents, and back-office systems from virtually any location without putting company data at risk.

4. Lower security management costs

Implementing 2FA can help reduce the lengthy and costly password reset calls and can act as a secure way for customers to sort these issues out themselves.

Reducing customer interactions with call centers, not only strengthens security but also improves UX. Then, as a massive bonus, operational overheads that are associated with security controls are reduced.

5. Drives customer confidence

Having stronger security measures for ecommerce sites increases consumers’ trust. Consumers are more likely to trust other consumers on sites like eBay or PayPal knowing that everyone on the system must pass through the same tight security as they did. Building a large circle of trust within the community—especially with services like eBay and Etsy—is essential to these services’ long-term success.

What are the benefits of creating a resend strategy?

If a person is impatient to receive an OTP they might click on the ‘send a new code’ option. Every time a person does this it translates to additional costs for the business.

An effective re-send strategy incorporates a set of rules for requesting OTPs that balances the security of the customer with the costs for the business.

For example, how often can a user request a new verification PIN? Will all PINs be sent via the same channel? Can the same PIN be reused? All these questions are covered by an effective 2FA resend strategy.

The benefits are clear:

  • Deliver a better, more transparent experience for your customers
  • Reduce the costs of sending OTPs
  • Reduce the risk of your messages being perceived as spam by SMS and email servers and providers
  • Reduce the load on your API and ensure that daily trigger limits are not reached

Best practices for creating a resend strategy

1. Give users the option to select their preferred method of OTP delivery

By giving users choice it allows them to select the best option in situations where they may not have access to a mobile or data signal. This increases delivery rates and reduces costs as it reduces OTP resend requests.

Offer at least two of the most common options – SMS, WhatsApp, Voice, Email, or push notifications from you app.

2. Set a time limit before allowing a resend request

The sweet spot for a buffer period is generally between 30 to 60 seconds for the first attempt and 60 to 90 seconds for the second attempt. After that, you can extend to a slightly longer time, for example 5 minutes.

A good option is to change the color of the ‘Re-send verification code’ button or grey it out until the buffer period is up. In addition, you could add a timer so that the user knows when they will be able to request a new code.

3. Restrict the number of PINs that can be sent per day

This is an important tactic to prevent SMS pumping fraud which is when fraudsters use bots to make multiple fake OTP requests to a business, causing a spike in their costs. To prevent this, you can restrict the number of PINs a user can request in a single day. For example, if they select five or more the service is temporarily blocked for 24 hours.

Where the service is temporarily blocked, it is important to offer an alternative for genuine users to resolve their problem, such as a chatbot, FAQ link, or helpdesk service.

4. After a failed attempt ask users to verify their e-mail/phone number

If a person enters the wrong phone number, they will never be able to receive the PIN number needed to complete the verification. To prevent this, you should ask the user to check or even re-enter their email or phone number. Another option is to use a solution such as Number Lookup, which analyzes whether a number exists, whether it is a landline, and whether it is active before any kind of PIN is sent. You can then give genuine users the best chance to enter a valid number to receive their PIN.

5. Set a time limit on your OTPs

It is very important that you restrict the time that a PIN code is valid for. The exact time period will depend on the type and value of the transaction – for a high value transaction the code should expire after a shorter period to reduce the chances of fraud.

Once the code has expired the user will have to request a new one to complete the verification process.

6. Invalidate existing OTPs as soon as a new one is sent

If a user requests a new verification code, it is essential that you invalidate the code previously sent to prevent it being intercepted. This is especially relevant if your customer has changed channels between the first and second attempt.

7. Monitor your OTP delivery metrics

To mitigate the effect of a fraud attack and to control costs you should continually monitor the metrics related to the delivery of your OTPs. It is especially important to look at the ratio between how many PINs were sent and how many were actually used. This should remain fairly steady; any significant jump in the ratio may indicate a fraud attack.

It is also worth separating this analysis by channel. Measuring conversion rates across channels will give you insights into how your customers are using your 2FA service and how you can fine-tune your strategy to provide a better CX and reduce costs.

Industry use-cases for 2FA


It is common, and crucial for banks to use 2FA services. From requiring a PIN to access your bank card, to a TOTP to finalize money transfers, 2FA keeps the banking information of customers safe and secure.


Online retailers often use 2FA during the login process. When credit card information can be saved and stored on their accounts, it is essential to add an extra layer of protection for their customers to feel safe buying from their sites.


Healthcare organizations are responsible for securing patient data and information. By using 2FA, they can reassure their patients that only they have access to their medical records. 2FA is also required for doctors to access patient files.


Governments have had to make a shift to using online and cloud-based platforms for people to access their government accounts. This can include anything from student loan accounts, retirement savings, applications for driver licenses and other government services. Using 2FA offers the safest and most user-friendly experience. People can now securely access many government documents and records online with little to no hassle. This makes using government sites easier than ever.

Discover the future of authentication

Infobip helps businesses from global brands to independent retailers to secure their customers and transactions.

Infobip Authenticate is unique in the market as it incorporates multiple channels and analyses various factors, including cost and popularity, to determine the best channel for each OTP.

Currently available channels for optimized OTP delivery are SMS, RCS, WhatsApp, Voice, Viber, Zalo and KakaoTalk. This ensures that your OTPs are always delivered promptly and reliably in every destination.

Crucially, the solution is designed to blend seamlessly into existing business processes so that your customers benefit from an easy and consistent experience that reduces friction all the way from account registration to purchase.

By implementing quality 2FA solutions companies are signaling to consumers that they take security seriously. This is increasingly important as we trust more of our digital lives to online services.

Just some of the brands that trust Infobip to help with their authentication challenges include:

  • Uber: Protecting customers with call anonymization and number masking.
  • Leanpay: Helping to support a 20% month-on-month growth in registered users with two-factor authentication.
  • Bukalapak: Improved user security AND increased delivery rates.
  • Nickel: Simplified onboarding and cost optimizations with SMS 2FA solution.
  • Yousign: Increasing one-time PIN (OTP) delivery rates to over 97% via SMS and text-to-speech (TTS) failover.

Speak to an expert about your authentication requirements

Get in touch
Oct 25th, 2023
12 min read