Hi, We are looking to implement 2FA - so that users would be sent a Verification code over their Email and SMS to their phone.
We faced some limitations with Amazon SNS where we could either send the verification code to email OR to the phone number, while we want to send it to both.
We also are looking to make the 2FA more flexible by adding any other options later on.
What are the best alternatives to SNS for this use case and purpose? Looked at Twilio but want to explore other options before making a decision.
Would be great to know what the experience with Twilio has been, especially the limitations/issues with Twilio...
Appreciate any input from users of Twilio and others who have had similar use cases.
Hi there, Ravi! Full disclosure: I used to work for Twilio.
User experience and developer experience are the primary reasons I'd recommend Twilio. Starting with user experience:
Simplicity: There's a reason companies with great engineering talent (like Stripe and Shopify) hand off the implementation of scalable 2FA infrastructure to Twilio - it's because they see improved user conversions and experience, by leaning on the dedicated Verification team at Twilio.
Reliability: Twilio has been building out even more regionalized infrastructure the past two years for improved service reliability. The Verify service also optimizes the telecommunications providers + sending phone numbers that are used if they ever detect lower-than-usual 2FA conversion rates (if they measure that users aren't entering 2FA codes at normal rates, they automatically route traffic differently to improve and ensure messages are getting delivered).
On the topic of developer experience:
Ease of integration: I worked with customers who had MFA proofs of concept running in one afternoon. Twilio has easy-to-understand documentation and code examples to get started in a variety of languages: https://www.twilio.com/docs/verify
Extensibility: As you mentioned in your post, you're considering SMS and Email channels for MFA today, but want to keep your options open for improving security and UX. Twilio already offers additional verification channels, like Voice, in-app Push Notifications, and TOTP integrations with authenticator apps like Authy and Google Authenticator. For additional security considerations, Twilio's Lookup API v2 provides a useful database of information about users' phones, to complement your MFA implementation.
Maintainability: Twilio has a solid track record for improving its Verification & security solutions since they've launched them, and last I knew while working there, planned to continue to invest strategically in these offerings.
Hi Ravi - I spent 5 years at Twilio and am currently over at Messagebird (CPaaS). - Generally, there are two options: - use SMS API and own the logic on your side (Phone number provisioning, token creation, token validation, retries, fallback etc.) - Verify Solution (which both Messagebird and Twilio offer): Verify provides a purpose-built API. Number provisioning (especially challenging globally), token creation, retries, fallback methods, etc. are managed by the verify solution
Messagebird helps the largest senders with use cases like OTP globally, and you have the choice own the development, or use the Verify API. Anecdotally, our Global network, and the maturity of our network, makes us stand apart in regards to global reach and deliverability.
Happy to chat, feel free to reach out.