メニュー

Expand
ページを評価:

認証チャネル

Choosing the right authentication channels for your application can help increase 2FA adoption and keep your customers secure. Twilio's Verify API supports several independent channels for authentication:

  1. SMS
  2. Voice
  3. メール
  4. プッシュ
  5. Time-based one-time passwords (TOTP)

Each channel has various pros and cons, covered below. Many companies offer an assortment of channels to their customers so that customers can choose their preferred channel.

SMS

SMS is the most popular channel for two-factor authentication (2FA). That's because most people can receive text messages and onboarding is seamless. Plus, SMS 2FA works: Google found that SMS 2FA helped block "100% of automated bots, 96% of bulk phishing attacks, and 76% of targeted attacks."

verify illustration

SMS has documented security weaknesses, which means it might not be the best choice for high profile end users like elected officials or celebrities. This is why we recommend offering a spectrum of 2FA options. Because SMS relies on telephony, deliverability and per-verification cost is dependent on underlying messaging infrastructure in the various countries where your business operates. In some countries like the US and UK, cost is low and deliverability is high so this might not be a concern. Software based solutions like TOTP and Push help mitigate this.

Get started with SMS.

        
        
        

        Voice

        Voice is Twilio's primary backup to SMS for non-smartphone authentication. While SMS delivery rates vary over the globe, Voice is prioritized on carrier networks and gives the greatest reliability. To ensure there is a live user at the other end of the call and not a voicemail that can be intercepted, the Verify API will challenge a user with a random keypad digit before reading them the token.

        Voice supports localization for dozens of languages.

        Get started with voice.

              
              
              

              メール

              One time passcodes (OTP) sent to email can help protect your users if their password is brute-forced or phished. Like SMS, it doesn't require downloading another app so onboarding will be quick and seamless.

              The problem with email as a 2FA delivery channel is that the most common first factor, a password, can usually be reset via an email. That means that an attacker only has to compromise one factor, your email inbox, to take over your account. This can happen if they know your email account password or if they have access to a live session (e.g. if you leave your email logged into a shared computer). Learn more about email 2FA tradeoffs.

              Get started with email.

                    
                    
                    
                    For additional setup instructions see twilio.com/docs/verify/email

                    Start a Verification with Email

                    For additional setup instructions see twilio.com/docs/verify/email

                    プッシュ

                    Push authentication is the best solution for balancing user convenience and security. Authentication can happen through a 'push notification' or message sent to a device, alerting the user that authentication is being requested for some login or action. This is the only authentication channel that allows users to explicitly deny an authentication request, which could help alert your business to fraudulent activity. Push is also one of the fastest authentication channels and offers increased security compared to SMS, preventing "100% of automated bots, 99% of bulk phishing attacks and 90% of targeted attacks" in Google's research.

                    push authentication gif

                    Push authentication uses public key cryptography, which means that each authentication request is tied to a device and the method is resistant to phishing. Authentication happens through a separate notification channel which opens the approval dialog so there is no need for the user to manually open an app and scroll to find your site.

                    Push authentication is a great solution for companies that already have a lot of mobile app users since you can embed the authentication workflow directly into your application. However the method does require additional development work and requires that your users have downloaded the application.

                    Get started with Push.

                    TOTP

                    Time-based one-time passcode (TOTP) is an excellent choice for users who can download an application for their mobile device or computer. Unique numeric passwords are generated with an algorithm that uses the current time as an input. This method relies on symmetric key cryptography and tokens automatically expire, offering increased security. As long as a device's time is synced, they will even work offline. Twilio's Authy app automatically counters clock drift and network time synchronization errors by opportunistically refreshing the clock whenever it has network access.

                    This method does require that the end user installs a special app like Authy or Google Authenticator, which some users may be unwilling to do. One study observed that TOTP setup was 2.5x slower than SMS for 2FA, which could discourage some users from enabling the second factor.

                    Even so, TOTP scored the highest usability rating among second factors. Overall TOTP is a solid option and we see a lot of security conscious companies adding TOTP as a 2FA option.

                    diagram showing how totp works

                    TOTP is currently only available via the Authy API. Our plan is to add TOTP and other verification channels to Verify. Please reach out if you have specific channel requests.

                    Questions?

                    Not sure which channel is right for you? Get in touch and we can help you decide.

                    ページを評価:

                    ヘルプが必要ですか?

                    We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd by visiting Twilio's Community Forums or browsing the Twilio tag on Stack Overflow.

                          
                          
                          

                          フィードバックくださりありがとうございます!

                          We are always striving to improve our documentation quality, and your feedback is valuable to us. How could this documentation serve you better?

                          Sending your feedback...
                          🎉 Thank you for your feedback!
                          Something went wrong. Please try again.

                          Thanks for your feedback!

                          Refer us and get $10 in 3 simple steps!

                          ステップ1

                          Get link

                          Get a free personal referral link here

                          ステップ2:

                          Give $10

                          Your user signs up and upgrade using link

                          ステップ3

                          Get $10

                          1,250 free SMSes
                          OR 1,000 free voice mins
                          OR 12,000 chats
                          OR more