Two factor authentication:

The new OTP is nOTP

E-Book
 Introduction
With the digital landscape growing every day and
passwords being at the risk of being compromised, it is
the only effective way to thwart hacks and force attacks.
You might have the world’s strongest password with
alphanumeric characters, numbers, and even an
enigmatic hieroglyph, but still be at risk for cyberattack.
2FA is an extra layer of security on your password.

Two factor authentication 01

 What is two factor
authentication/ 2FA?
Something
you know

Two factor authentication is a method of granting access to

the user after they confirm their identity by presenting a
combination of two different factors of previously
established evidence. Two factor authentication has Something
become one of the best ways to ensure that only one you have
person can login to your account— you.

Two factor authentication 02

Two-Factor Authentication
Username
Users have relied on simple attributes like, email
address, username, phone numbers and a
password to access their accounts. Come to think
of it, except the password, it is fairly easy to find
out the rest of the information. A 2 step verification
is the absolute need of the hour to add a layer of
security on your existing password.
Two factor authentication solutions require a user
Two factor authentication
to verify their identity in two unique ways before
granting them access to a system. The most
common way for this authentication is for a user to
enter a one time password that gets dynamically
generated and sent via a channel that only the user
has access to.
According to cybersecurity market leader
Symantec, 80% of security breaches can be
avoided by using 2FA.
03
 History of 2FA
2FA has been in play in our lives for a long time now. The key to the
safety deposit box which contains your valuables in the bank is a
good example for two factor authentication. As a first step of
verification, the bank authorities match you to the photograph on
the account. This first factor establishes “something you
know/are”— your identity as the account holder, and the second
factor establishes “something you have”— the possession of the key.

Two factor authentication 04

 3
2 6
5 9
1
4 8 *

PH
7 0
#

OT
O
VE
RI
FIE
D

In the 2000s, organizations were enabled with
infrastructure to enforce two factor authentication
in their own ways. Tokens were the predominantly
used method of two- factor authentication. They
were of two types—hardware token and software
token (also known as hard token and soft token
interchangeably).
A hardware token is a device such as a USB stick
or a dongle with the security key, that is to be
plugged into the system to allow access.
A software token, on the other hand, uses a
software to authenticate a user. For example, a
code is sent from a software to your email account
in order for authentication.
These were the solutions that were available to
large organizations to secure their data. As this
was not in the interest of the common man, it was
viewed and thought of as an “extra step to
complicate their lives”.
Fortunately, many companies worked on easing
this process and soon two factor authentication
went from “can have” to “must have” for users.

Two factor authentication 05

How does 2FA work?
PROOF
PASSWORD
Is that
you
+ =
Username
What it means for the business
According to a survey, 70% of the respondents
no longer trust passwords to protect their
accounts. A good 68% of them want companies
to provide an extra layer of security.
Luckily for the business, it already exists in the
form of two factor authentication.
Not a day passes by without some news or the
other about data breaches or security threats,
never mind the size of the business. Apart from
those obvious reasons, traditionally speaking,
Two factor authentication
ACCESS
Success!
single sign-on (SSO) architecture is not as secure
anymore. If you can access anything at the click
of a button, is it really that safe?
Businesses nowadays are securing user accounts
from being compromised, and verifying
high-value transactions by sending one-time
passcodes to verified end-user phone numbers.
This simple and effective action helps in winning
the confidence of the customers.
06
 Types of 2FA
There are many ways to implement 2FA into your
security systems. All these methods have their pros
and cons, but all of them serve the purpose of boosting
the security of the accounts when implemented. Apart
from the hard and soft tokens, these are a few other
authentication solutions:

Two factor authentication 07

SMS OTP
SMS OTP (one time password) is the most
common method of implementing 2FA. This
method sends a unique 5-10 digit code via SMS to
the user, after their username and password is
verified. The user is required to provide this code
before they are granted access.

Pros: Cons:

Connectivity
Simple
cell signal needs to be strong to
almost everyone is familiar with SMS
receive the code

Availability Security
every mobile phone is SMS capable SMS text messages can be intercepted

Cost Device
economical to setup and manage mobile device presence is required
to authenticate

Two factor authentication 08

Email OTP
Email OTP is similar to SMS OTP, except the code
is sent via email. Alternately, the user can also click
on the link provided in the email to authenticate
themselves.

Pros: Cons:
Easy Delivery failure
users can receive emails on both their email can go to spam, bounced by
personal computer and mobile phone
server, delivery can be delayed, etc.

Cost
Security
economical to setup and manage
emails are susceptible to hacks
Choice
can give the user additional option to
verify, by clicking a link

Two factor authentication 09

Phone call OTP
This method initiates a phone call to the user once
they have verified their username and password.
The call provides them with a dynamic OTP. Voice
OTP method is quickly catching up as a favorite
with Exotel’s customers.

Pros: Cons:

Easy to use Security

as simple as answering a phone call calls are weak from a security
view-point they can be intercepted

Cost Connectivity
inexpensive to setup and manage
cell signal strength is required, and
the device has to be with the user at
Reliability all times.
voice consumes less bandwidth than
data, so this is a fine alternative to
email based verification when mobile
data is not available

Two factor authentication 10

 Introducing nOTP
All of the above listed methods require the user to enter the
code received via OTP. This is a dampener on the user
experience of the product.
Is it possible to reap the benefits of two factor authentication,
and yet not have the customers enter an OTP? Is it possible to
marry best of both the worlds?

Two factor authentication 11

Enter nOTP!
nOTP is a revolutionary product from Exotel that helps secure your business by verifying customer identity.
Available as a SDK for Android phones, nOTP allows users to verify with absolutely no actions from their
end. All they have to do is enter their phone number, and click on the ‘verify’ option. Everything else happens
automatically, and the number is verified.
nOTP works without an SMS, and only with a missed call. It is simple and makes number authentication
foolproof.

How it works
1 2 3

8088919888
Your number is verified
Missed call Verify
Verify

On clicking “verify” Exotel Exotel SDK intercepts the Exotel pings the server
triggers a call to the call and disconnets it after with the information, and
customer’s number. veryfing the user. the number is now verified.

Two factor authentication 12

 Why you must consider
nOTP for your business
Although SMS is used for OTP widely, it is not always convenient.
nOTP is a much better alternative for the reasons mentioned below.
Besides, it makes sense to choose a solution that is cheaper and takes
lesser delivery time than SMS, isn’t it?

Two factor authentication 13

Upto 42% cheaper than SMS: SMS is the most
inexpensive form of communication there is.
nOTP is cheaper than SMS, because it involves
only a missed call. This difference makes absolute
sense for a business that verifies a large number
of users.
Upto 2X faster than SMS OTP: Although most
of the times SMS is sent and received in a few
seconds, the networks experience congestion
sometimes and you may never receive the OTP
within the set time limit. On the other hand,
nOTP is much more reliable and quicker.

Cost comparison - SMS OTP v/s nOTP Verification duration - SMS OTP v/s nOTP
3 15

2 10

Time
Cost

1 5

0 0
SMS OTP nOTP SMS OTP nOTP

Verification method Verification method

Two factor authentication 14

Superior verification rates: nOTP provides
superior results for successful verifications. And Spam
you pay only for successful verifications prevention:

Seamless user experience: The user doesn’t have Control spam registrations, and avoid fake
to wait for the OTP, or enter the code to verify. signups.

Higher number of user verifications: nOTP is a

quick and effective method to validate user phone
numbers. So the number of verifications that can Password
be done is high. reset:

Verify users with nOTP to reset password,

instead of sending them codes via SMS
nOTP for your business

Two factor Passwordless

authentication: login:

Introduce an extra layer of security, without Do away with passwords as users can be
adding complexity to your customers. verified using nOTP every time they log in

Two factor authentication 15

Success Story: Adoption of 2FA and nOTP
One of the biggest marketplace players in Indonesia uses Exotel
for 2FA solutions. With over 2 million merchants and several
million customers on their platform, it is inevitable that they use
two factor authentication. They have implemented different
types of 2FA for different purposes

OTP via SMS to verify their new
customers and vendors on the
platform.
A platform with several million
customers is bound to have a lot
of duplicate signups. It is
imperative to ensure that the
user is who they claim they are.
An OTP sent to their registered
phone number validates their
identity.
OTP via call as a fallback if
there is a delay in SMS OTPs to
reach the users.
In the event that the user failed
to receive the SMS due to
network issues, an OTP is sent
via phone call (voice OTPs) to
finish the verification process
and create a seamless user
experience.
nOTP to authenticate mobile
phone recharges made by the
vendors for their customers.
At 1/3rd the cost of a SMS, nOTP
is a big hit with just a missed
call received on the vendor’s
phone verifying their identity.

Two factor authentication 16

 Closing note
83% of people who use two-factor authentication feel their
accounts are more secure. One method of 2FA might be better than
the others, but we have to agree that any 2FA is better than none.
With that being said, businesses that are adopting two factor
authentication to secure customer data should prioritise customer
experience as the most important differentiator for these
authentication methods. nOTP emerges a clear winner, as it is a
smooth and effortless option for the customer.

Two factor authentication 17

About Exotel
It might be a bit of a puzzle for a business if they should think consider about the interests or the security of the
customer. However, since most businesses have started using 2FA now, it has become commonplace and
customers don’t really see this to be an extra step anymore.

At Exotel, we have worked in easing 2FA implementation for businesses, while also bearing the customer
comfort in mind. Our powerful authentication solutions are built for speed and scale.

Not every business has the same risk factor or the security needs. So why should you have to choose a “one
size fits all” approach to 2FA? Our robust APIs offer a variety of authentication options such as SMS OTP, OTP
over voice, OTP without SMS (nOTP) to help prioritize your needs accordingly.

Ready to implement 2FA for your business? Schedule a demo to see how it’s done.

SCHEDULE A DEMO

Two factor authentication 18