How does Verigator make 2FA better?

Raili Liiva

20 Mar 2018 -

5 min read

Raili Liiva

20 Mar 2018


2 min read

Let’s face it. Two-factor authentication is still widely under-used. Google painted an alarming picture: 90% of its Gmail users haven’t enabled 2FA in any form.  

That’s nuts. Gmail has 1.2 billion active users and most of them don’t use anything more than a password to protect their accounts. But email accounts aren’t the only concern –what about everything else? Internet users average (globally) over 90 online accounts. Americans have an average of 130 online accounts and people in the UK have 118 online accounts.  

It only takes one hijacked account or account breach to have an impact on someone’s life and become costly for businesses.  

Businesses know they must put in the effort to protect their users –and GDPR mandates it. Yet UI/UX developers and product owners walk a fine line between user experience and securing their customers.

Which is why we built Verigator a certain way.  

The most straightforward way to get users to use 2FA is to force it with SMS PIN codes. It’s common for businesses that provide online accounts or mobile apps to ask for mobile phone numbers to verify new users through SMS PIN codes. They’re turning to the same technology for two-factor authentication –that is, send an SMS PIN code every time a user logs into an account, whether from a web browser or an app.  

Messente’s API does both phone number verification and two-factor authentication from the same API. Technically, they both do the same thing, but the logic from the users’ perspective is that they’re verified with a PIN code when the account is created, then they “authenticate” every time they log in with a password and a PIN code.  

Verigator, our 2FA mobile app, doesn’t use SMS PIN codes for two-factor authentication, though. It uses six-digit one-time passwords that expire after a certain period of time, usually 30-60 seconds. These time-based one-time passwords (TOTP) are calculated independently by both the Verigator app and Messente’s API, so they’re safe from SS7 vulnerabilities, which have put SMS under some scrutiny. Only the user-entered TOTP is transmitted to the API by the online service in questions, as the online service checks with Messente’s API if the correct TOTP was entered before access is granted. 

Users install the app to their iOS or Android device, create an account, which is verified via an SMS PIN code. And here’s the magic: Any online service that uses Messente’s API will automatically appear in a corresponding user’s Verigator app (assuming the user provides the same mobile number.) Even better: A push notification is sent to users when they log in, so they don’t have to search for the account in the app.  

That’s right, no scanning of QR codes or any other steps to get users onboard with TOTP 2FA. Brands and businesses can utilize a single API to tackle phone number verification, SMS 2FA, and TOTP 2FA. Encouraging users to use Verigator keeps the seamless simplicity of sending SMS PIN codes, while being that much more secure, making the user sign-in experience much less cumbersome. 

Verigator users can also use the 2FA app with any other online service that doesn’t use our API, as long as they have a QR code to scan. While it defeats the purpose of a seamless single API approach for SMS and TOTP, it allows users to minimize how many 2FA apps they install. 

So if you’re already using SMS PIN codes to authenticate users every time they log in, have you thought about how to make it better?

What's SMS service quality?

Raili Liiva

Sales Researcher

Raili leads Messente's 2-factor authentication solution and takes care of our SMS API clients. She is passionate about online security and is helping businesses protect their user accounts against hijackings.  

We're here to help you connect with your customers. Let's start talking.

Email again:

Further reading

A note on keeping things real

17 Apr 2018

Over the years, I've had the good fortune of talking to and doing business with many entrepreneurs and...

Lauri Kinkar

2 min read

Next-generation Omnichannel API is well underway

10 Apr 2018

Over the last few months we’ve been setting the direction of our Omnichannel messaging API and our development...

Uku Loskit

2 min read

You're protected from the pitfalls of grey routes

03 Apr 2018

“Grey routes” is a loosely used term in the telecommunications industry. Frankly, the industry-specific meaning of grey routes...

Joosep Pintsaar

2 min read

Announcing preliminary plans for the Dashboard!

27 Mar 2018

Our development team is always hunkered down, working on our APIs to create better communication and verification products...

Jaanus Rõõmus

2 min read