We’re excited to announce the beta launch of Verify, an API to deliver easy two-factor authentication with messaging and voice.
The Telnyx team is excited to announce the beta launch of our newest product — Verify API. Verify was created to deliver easy two-factor authentication (2FA) using messaging and voice — all through a simple API and self service platform.
Our developer-friendly API makes it easy to build and automate two factor authentication flows to help authorized customers log on to accounts, verify transactions or confirm account changes with an extra layer of security. Before we take a deep dive into the product features, let’s talk about what two factor authentication is and its relevance to today’s world.
Authentication is a means of verifying one’s identity, or confirming that someone really is who they claim to be. is a method of establishing access to an online destination, by requiring users to provide two different types of information. The factors, or types of information, fall under three categories: something you know, something you have, and something you are.
Related articles
Here are some examples of each factor:
The most common mode of single factor authentication is the username password pair. With two factor authentication, users need to both provide a password and prove their identity some other way to gain access. Mobile device based authentication methods, allows businesses to send a time expiring one time password via SMS or voice. This is what the Telnyx Verify API provides. In this case, the OTP is of a different factor of information than the username and password combination, fulfilling the two factor authentication requirement.
So, you might be thinking, “All of this makes sense, but is two factor authentication really necessary?” To give you the short answer: Absolutely. If you consider a username and password combination to be enough to safeguard your account, then consider these stats:
Compromised usernames and passwords can lead to unauthorized access, which can lead to fraudulent transactions and data breaches. In the first half of 2020, there were 540 publicly reported data breaches impacting a total of 163,551,023 individuals. On average, data breaches cost businesses $4 million per incident. Adding a second layer of authentication is a necessary step to make transactions and other high risk actions more secure, as well as protecting both your business’s assets and your customers’ privacy.
Research in the information security space has shown that the global market for vtwo factor authentication will be expanding at 17.28% CAGR between 2018 and 2024, with a valuation of 8.98 billion dollars by the end of the forecast period. Specifically, the market for one time passwords is expected to grow from 1.54 billion dollars in 2018 to 3.26 billion by 2024. Among other factors, the popularity and growth of this technology is due to a growing awareness regarding the importance of protecting and limiting access to individual and corporate information.
A business’s needs for two factor authentication OTPs can vary based on size, customer base, and the number of logins or transaction confirmations that occur in a month. Due to this variability, it’s important to choose a two factor authentication solution with a flexible pricing model so that your organization can easily scale up or down based on use case, volume, and needs. Another thing to keep in mind is the total cost of ownership for a two factor authentication solution, and whether it provides upfront value to your organization and customers, or if there are hidden costs and drawbacks.
We built Telnyx Verify to empower developers to build compliant, scalable two factor authentication solutions with minimal resources. Our robust developer documentation and API reference make it easy to get started with Verify in just two simple steps. Our built-in features make it possible to deploy and provision OTPs quickly, so that you can gain visibility into digital environments and immediately start reducing risks to security. Some of these features include:
The world of internet security can be hard to navigate, and two factor authentication best practices can sometimes be industry specific. But overall, cyber security is a concern for all. In fact a risk index by Travelers, based on a study conducted by Hart Research of 1,200 American businesses, found that it was the top concern for businesses in 2019 across several industries and regardless of size. 75% of study respondents agreed that the proper preventative measures, such as implementing an effective two factor authentication solution, are "critical to the well-being of a business."
Here’s a few examples of how text and voice based OTPs can be applied to everyday business operations.
Secure Login requests Username and password combinations are not enough to ensure secure login requests. Incorporating SMS or Voice authentication into any login sequence helps to keep out any unauthorized users into accessing and entering guarded digital environments.
Device Authentication There are other forms of proving your identity with “what you have,” through hardware like SIM cards and USBs. However, mobile devices are ubiquitous, making OTP via SMS or Voice the most effective way to accomplish this goal.
Confirm Account Changes Requiring customers to enter one-time passwords sent by SMS or Voice before they make high value purchases, transactions, or drastic changes to account settings, can help reduce the risk of fraudulent activity.
Let’s take a look at how industry leaders are using mobile device based two factor authentication to implement preventative security measures.
E-commerce fraud has increased year over year since 2010, with payment card fraud losses incurred by merchants and card holders totaling $9.47 billion in 2018, in the United States alone. These financial burdens include the cost of lost merchandise, shipping and handling on fraudulent orders, and chargeback fees from the issuing bank. Not to mention, these instances can also decrease company reputation and, if severe enough, can result in the loss of merchant accounts.
Thankfully, two factor authentication adds extra layers of security that fraudsters must overcome to break into these systems. Even if they do correctly guess the password and username at login, it is unlikely that they have access to the mobile device with the time expiring OTP. As a result, many online merchants and e-commerce companies are implementing OTPs to confirm e-commerce transactions, or validate buyers and sellers before money transfers. In addition to the immediate benefits, additional security layers also bring shoppers peace of mind which allows them to remain loyal and continue making purchases on the platform.
It goes without saying that patient information is considered highly sensitive, and therefore robust safety measures should be put in place to protect access to this information at all costs. The vast amount of sensitive data -- social security numbers, home addresses, date of birth -- collected by healthcare companies make them a major target in cyberattacks. Peter Carlisle, head of EMEA at cloud and data security company Thales eSecurity, warns that cyber-criminals can sell this data, use it for identity theft, fraudulently acquire benefits like Medicaid and Medicare, or obtain prescriptions. In 2015, in a cyber-attack on Anthem, Inc., the largest for-profit managed health care company in the Blue Cross Blue Shield Association, hackers stole 78.8 million patient records.
To combat these high stake risks, many healthcare providers and companies have included two factor authentication into their cyber security strategies, which requires additional authentication to log into online patient portals and databases.
Since the outbreak of the global COVID-19 pandemic, many higher education institutions have moved at least some part of their curriculum to remote learning. Some institutions in states with high outbreaks have even announced full time remote for the entire school year. In the age of digital learning, this means that lectures and discussions have been delivered through online tools like Zoom which, like all other technologies, come with security concerns.
Fortune reported earlier this year on several reports of hacks targeting online Zoom classes, called “zoombombing,” at large institutions like Arizona State University. The problem has become so prevalent that at the end of March, the FBI issued a warning about video conference hijacking and offered steps to mitigate the threat.
These disruptions clearly lower the quality of education and act as barriers to learning, but they also have the potential to escalate into something more dangerous -- at UCLA, a Zoom classroom was hacked and was used to deliver cyber attacks in the form of hate speech and racial slurs.
Following these instances and public pushback to protect its students, many institutions have turned to two factor authentication as a tactic to keep unauthorized users from accessing institutional resources, in order to cultivate a safe online learning environment and protect student information.
As of August 2020, a total of 40 states offer online registration, with one other state (Oklahoma) currently phasing in implementation. Moving voter registration -- the foundation for voting in this country -- online has made civic engagement more accessible for many. However, it has also resurfaced national conversations in the months leading up to a critical election, regarding concerns about the security of voter data and of the registration process at large. In the 2016 election, at least 18 state voter registration databases were scanned by Russian-affiliated cyber actors in 2016; online voter registration websites house millions of records of online voters, and unauthorized access into these systems can result in alteration, or even deletion of critical voter registration data.
Legislators are turning concerns about cybersecurity and voter registration into policy, and in addition to state action, experts are suggesting that two methods of authentication are used to verify the identity of those registering to vote. Many states across the country have adopted these measures, including in Iowa, where Secretary of State Paul Pate put multifactor authentication in place for anyone who accesses the state’s voter registration database.
Our digital landscape has created a need for effective, robust cybersecurity solutions across all industries. Thankfully, Telnyx has made it possible for your organization to achieve its security goals with our Verify API. To get started using our two factor authentication services, simply sign up for an account on our Mission Control Portal and navigate to the Verify API section on the left hand side. Once you’ve done that, follow the steps in this quickstart guide to start using your data.
You’ll find tutorials and product information in our Developer Center, plus complete API reference.
If you have any questions along the way, get in touch with our technical experts via our dedicated developer Slack channel.
What is the Telnyx Verify API? The Verify API lets your app confirm phone ownership by sending one-time passcodes over SMS or voice. It provides endpoints to create challenges, deliver codes, and validate user input with configurable security policies.
How does a verification flow work with Telnyx? Your server requests a verification, a code is delivered to the user, and the user submits that code for validation. You control code length, time-to-live, and retry rules to balance usability and security.
What channels and countries does the Verify API support? Most implementations use SMS worldwide with voice as a fallback where messaging is limited. When you send codes over SMS, you use messaging types that align with local regulations and sender ID rules.
Can I customize code length, templates, and languages? Yes, you can set numeric or alphanumeric codes, choose the length, and define expiration. Message templates support localization and branded variables so users get clear, consistent instructions.
How do I prevent abuse and SIM-swap fraud in my verification flow? Enforce rate limits per user, IP, and device, cap attempts, and expire codes quickly. Add device fingerprinting, reCAPTCHA, and voice fallback to maintain continuity when SMS is filtered.
Should I use SMS, MMS, or voice for one-time passcodes? Use SMS for primary OTP delivery, with voice as a resilient fallback in high-friction routes. MMS is not recommended for codes, and understanding the difference between SMS and MMS helps set content and size policies correctly.
Where do developers start to implement and test the Verify API? Begin with API credentials, a test number, and a simple script to trigger and validate challenges end to end. Quickstarts and reference patterns live on the Telnyx Developers site, including guidance for webhooks, retries, and monitoring.
