2-factor authentication

Infobip 2-factor authentication

2-factor authentication (2FA) is cloud messaging security solution that confirms the identity of the user and protects the system from phishing or hacking attacks.

A one-time PIN (PIN code) is generated and sent to the user’s mobile phone. The user receives the PIN code and types it into the application to confirm his or her identity. If the PIN number that was sent out to the user matches the one that is received, the user is allowed to continue with the process.


Develop all the features and functionalities with dev-friendly API for top flexibility. You can easily turn every phone into an additional layer of protection.

REST API - HTTP request & response documentation for all 2FA functionalities.

Client libraries

It takes only minutes to integrate our libraries to enable all 2-factor authentication features in your web or mobile application.

For any technical assistance please contact us at:

How it works

User enters his mobile number into a web form or mobile app. A one-time PIN (OTP) number is generated and sent to the user’s mobile phone. The user receives the OTP and types it into the application to confirm his identity. If the PIN number that was sent out to the user matches the one that is received, the user is allowed to continue with the process.

2-factor authentication

Note that for a security breach to happen, the user would need to have both the handset and the password stolen or lost, which is a highly unlikely turn of events.

When to use 2-factor authentication

Every time a confirmation of identity is needed:

Who is using 2-factor authentication

All major social networks, web commerce solutions, booking systems and online banking solutions are using 2-factor authentication.

Identity theft can harm your business and damage your reputation. Add extra security with our SMS-based 2-factor authentication. It is convenient, functional and universally applicable.

2FA flow overview

enter image description here

  1. User enter his Phone number into the client’s application (mobile or web). The other option is that client pulls the phone number from his user’s database.
  2. Application sends the request for the PIN code with user’s phone number to Infobip
  3. Infobip sends Number context lookup request to the MNO for user’s phone number
  4. Infobip receives Number context lookup response from the MNO
  5. Infobip sends Number context response to the Application
  6. If the Number context result is valid, Infobip generates the PIN code and send it via SMS
  7. MNO delivers SMS with the PIN code
  8. Infobip receives Delivery report for sent message
  9. User enters the received PIN code into the application
  10. Application sends verification request with the PIN code
  11. Infobip verifies the received PIN and sends the response to the application

Steps 3 and 4 are important for the clients that want to check whether the user entered valid phone number before sending a verification SMS. We use Number context to check the phone number validity. If the phone number is not valid (i.e. doesn’t exists) we do not even generate the PIN code and send the SMS. This way we prevent unnecessary expenditures for our clients. These steps are optional due to customer needs.

One Time PIN generation algorithm

We used a variant of Time-based One-Time Password (TOTP) algorithm (in compliance with RFC 6238) for generating PINs. We combine secret key with current timestamp to seed secure pseudo-random number generator (512-bit time-dependent seed) which in turn produces 512-bit pseudo-random number which is an input to SHA512, along with time-dependent key. We reseed PRNG periodically with time-based pseudo-random seed, but time-independently of hashing algorithm input time-dependent key.

Note: http://www.faqs.org/rfcs/rfc2104.html

…for a block length of 64 bytes this [“birthday attack” on 128-bit MD5] would take 250,000 years in a continuous 1Gbps link, and without changing the secret key K during all this time…

We don’t use MD5, we use HmacSHA512 (SHA functions comparison), which is much more resistant to this type of attack. Paired with dynamically seeded PRNG and time-dependant key, one would only have a few seconds to try this kind of attack on hashing function before it’s key is changed. And this attack becomes possible only if PRNG is also breaked, which is as unfeasible as the very MD5 attack just presented (only in another terms).

Other than that, the length of PIN code influences probability of repeating PINs, but an 6-digit numeric only PIN has 10^6 = 1.000.000 combinations (6-digit alphanumeric ~> 10^11 combinations). So if you try to guess PIN code by brute forcing it’s value, you have pretty low probability of guessing it blindly. And, when you setup your 2FA application, you can limit the number of verification attempts to arbitrary value, further limiting lucky guesses.

Industry use-case

2-factor authentication for mobile apps

Improve your app conversion rate

Do your best to convert every app download into an app user! Apply our global verification system to eliminate mistakes during app activation.

SMS-based 2FA confirms the identity of the mobile user. We’ve added the number validation component, which checks numbers that users provide for the SMS authentication. It is estimated that in 4-8 percent of app downloads faulty numbers are provided for the authentication SMS delivery, which increases the chance of users abandoning the process, and your app.

2-factor authentication

1. User downloads an app and is asked to enter cell phone number to receive PIN via SMS.

2. We alert the app developer if number is not valid. User is asked to try again.

3. With correct number entered, a PIN is delivered. App activation complete.

Number validation is performed before the SMS authentication starts, to make sure that SMS can be delivered to the number provided. If not, user is tempted to enter the number again, and complete the app activation by receiving their one time PIN over SMS.


2-factor authentication as a reliable enterprise SMS security solution

In many cases, you need more than just a password to achieve an adequate level of security in the digital space. 2-factor authentication brings together something you know (a password) and something you have (a one-time PIN generator), which increases security exponentially.

Because everyone has a mobile phone and Infobip can deliver SMS messages to them all, the device easily turns into a tool for providing an extra layer of security without investing into additional hardware.

How does it work?

With web-based applications and logins, the mobile number of the user needs to be associated with the online account. That’s why the first step is to add the mobile number when signing up. In all subsequent authorizations, the user doesn’t need to re-enter the mobile number, just enter the PIN delivered in an SMS.

2-factor authentication

Making your 2FA work

Simply implementing a 2-factor solution is sometimes not enough to ensure security and reliability. What sets Infobip’s solution apart is the Number Context service, which increases the efficiency by providing a mobile number check for each user.

Number Context is invisible to the user: it verifies each number at registration and alerts the web site if an entered number is invalid, e.g. a landline number, or an inexistent number. The web site can then prompt the user to re-enter the mobile number and ensure an efficient 2FA process later on.

Number Context harnesses Infobip’s global coverage and deep insight into mobile networks in over 190 countries to deliver reliable messaging and network check solutions. By connecting to Infobip’s cloud you get a versatile solution with: