Your guide to SMS Two-Factor Authentication (2FA)

With cybersecurity threats on the rise, 2FA helps keep everyone safe.

Amanda R - November 8, 2022

There’s no doubt that cybercrime is on the rise. In Australia, the number of reported cyberattacks grew by 13% from 2020 to 2021. A new incident crops up every 8 minutes

As the hackers get smarter, it’s more important than ever for small businesses to think about security. 

A great addition to your security toolkit? Two-factor authentication (2FA for short). The Australian Cyber Security Centre calls 2FA “one of the most effective ways to protect against unauthorised access to your valuable information and accounts.”

For business owners, 2FA helps protect against security threats like phishing and brute-force attacks. It helps you meet the rules and regulations in your industry about protecting customers’ personal information. And, it helps boost your customers’ confidence in you – as it shows you take security seriously.

For your customers, 2FA is a quick and easy step to take as part of logging in. Plus, it provides peace of mind that their personal information is being kept safe from hackers.

How does 2FA work?

Like its name suggests, 2FA is a two-step way of checking that a customer is who they say they are. 

Here’s how it works. Say a user logs in to your site with their username and password. This is known as their primary authentication. The ‘two’ in 2FA is the second authentication – and it has to be something that comes from a different device or channel, like a mobile phone. 

There are four different ways you can perform this secondary check. You can use:

  1. An object like a mobile phone, a USB stick with a secret token, or a bank card. It could even be an actual key.
  2. secret like a one-time password (OTP) or PIN, that only the customer knows.
  3. physical characteristic like a fingerprint or eye iris.
  4. location such as a specific VPN connection or a GPS signal.
6 steps to show how SMS 2FA works

Some of these are easier to set up than others, and each comes with its own pros and cons. 

We won’t dive into the technicalities of all four types of identity checks here. Instead, let’s focus on what we know best – how to use a mobile phone and SMS as your secret security weapon for 2FA.

Why use SMS for 2FA?

The idea behind two-factor authentication via SMS is that, even if a hacker gets their hands on your customer’s username and password, they (hopefully) won’t have their phone, too.

Apart from halting the hackers, text messages are a popular strategy for 2FA for a number of reasons: 

  • It’s quick and easy 
  • If a mobile phone is stolen, the user can lock their device remotely
  • An SMS code is one of the easiest, most cost-effective 2FA tactics for a business to set up 
  • No extra apps or tools are needed to send SMS 2FA codes
2FA website pop-up and 2FA text message

Just bear in mind, though, that there are some potential pitfalls. SMS authentication relies on a phone connection, and there is the low risk that an SMS message can be intercepted by a heinous hacker.

How to set up 2FA using OTP and SMS

One-time passwords (OTPs) are a typical form of authentication. Because they’re unique to every user and every session, and they expire after just a short time, they provide a great extra layer of security.

SMS is a quick and easy way to send OTPs to your customers. There are a few different ways to set these up, but let’s look at one of the most common: an API.  

An API is easy to customise to your own needs and is generally cheaper than an off-the-shelf integration. You just need to wrap your head around a bit of code (see our example below).

You can build an SMS OTP system with our SMS API. Use the code below as a guide, but feel free to put your own spin on it and tailor for your business.

// Generate a random number, and use str_pad to ensure 6 digits even if first digit is a zero

$otp = str_pad(mt_rand(0,999999),6,"0",STR_PAD_LEFT);

// Save the otp to your database here
// You'll need to write your own code here, but make you can save the username, the otp, and the time you generated
// eg. "INSERT INTO `OTP` (`customer_user_id`,`otp`,`insertime`) VALUES ('$customer_id','$otp',NOW());"

// send the otp message to your customer

$username = 'USERNAME';
$password = 'PASSWORD';
$destination = '0400000000';
$source    = 'MyCompany';

$message = "Your SMS activation code is ".$otp.". Do not share this code."."\r\n\r\n"."Unexpected? Call 1300 XXX XXX";

$contentArray = array(
	'username' => $username,
	'password' => $password,
	'to' => $destination,
	'from' => $source,
	'message' => $message

$contentPost = http_build_query($contentArray);

$ch = curl_init('');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $contentPost);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$output = curl_exec ($ch);
curl_close ($ch);  

// check the response, to ensure the SMS was sent correctly
$response_lines = explode("\n", $output);
foreach( $response_lines as $data_line){
    $message_data = explode(':',$data_line);
    if($message_data[0] == "OK"){
        echo "The message to ".$message_data[1]." was successful, with reference ".$message_data[2]."\n";
    }elseif( $message_data[0] == "BAD" ){
        echo "The message to ".$message_data[1]." was NOT successful. Reason: ".$message_data[2]."\n";
    }elseif( $message_data[0] == "ERROR" ){
        echo "There was an error with this request. Reason: ".$message_data[1]."\n";

// On your login form (a separate script) you can then match the OTP
// You'll need to write your own code here, but make you can validte the username, the otp, and that the OTP is less than 3 minutes old
// eg. "SELECT * FROM `OTP` WHER `customer_user_id` = '$customer_id' AND `otp` = '$customer_otp' and `insertime` > NOW() - DATE INTERVAL 3 MINUTE";

Ready to go?

Put your 2FA plan into action by signing up with SMS Broadcast today.