You’re Probably Spending Way Too Much on SMS-Based Verification

Every OTP you send via SMS is burning through your budget and your users’ patience. It’s clear that SMS-based verification has become a go-to for verifying users and blocking unauthorized access. But spamming users with codes every time they want to log in isn’t winning you any fans, and it’s definitely not cheap. So, how do you protect your users’ accounts without spending more than you need to or annoying the people you’re trying to protect? In this post, I’ll break down strategies to protect accounts without unduly racking up your SMS bill.

The cost of SMS verification

For businesses, every SMS sent translates to a cost, especially when you're dealing with high-volume applications. For example, popular communications provider Twilio's SMS pricing can go anywhere from $0.0079 to $0.75 per message based on the destination and the carrier! And it's not just legitimate users that are racking up costs. On top of that, SMS pumping scams also add to the bill. While it's not verified, it's estimated that Twitter was losing $60 million a year to SMS pumping before restricting the feature. To reduce your SMS dependency and cut costs without compromising security, you can use other solutions to verify users as an alternative to texting OTPs.

Methods to reduce SMS verification costs

Reducing SMS costs doesn't mean sacrificing security. By exploring a mix of alternative methods, businesses can maintain strong account protection without relying solely on SMS for every verification. Instead of sending SMS verifications, you could:

• Use other channels to send codes: Delivering OTPs through push notifications, email, or messaging apps like WhatsApp provides a secure, cost-effective alternative to SMS. Push notifications work well for mobile apps, while email verification links are familiar and easy to implement. WhatsApp message costs are much cheaper in comparison to SMS — for example, Twilio offers pricing ranging from $0.0014 to $0.0768 per authentication conversation for WhatsApp. Each of these channels reduces SMS dependency and costs without compromising security.
• Skip sending codes; just validate them: Authenticator apps, such as Google Authenticator or Twilio's Authy, enable users to generate their own verification codes, effectively eliminating the need for SMS and often providing a more cost-effective solution. For example, Twilio's TOTP service costs only $0.05 per successful verification. Once set up, this method offers users a convenient way to securely verify user identity while maintaining robust protection against unauthorized access.
• Leverage other types of verification: Beyond codes, techniques like biometrics offer effective ways to authenticate users without SMS when available. Biometrics, such as fingerprint or facial recognition, provide a seamless and secure experience, especially on trusted devices.

Downsides to SMS Alternatives

While these alternatives can certainly reduce costs, changing to them requires adjusting your existing authentication flow, which may not be ideal for every business. SMS remains widely accessible and doesn't require users to download or set up a specific app, such as WhatsApp or Google Authenticator. It's also available for all mobile devices, making it more versatile than methods like biometrics, which are usually confined to smartphones.

Additionally, users are often more familiar with SMS-based verification, which can make it a smoother experience with less friction, leading to higher conversion rates and more engagement. These factors make SMS an appealing option, providing accessibility and ease of use that can be hard to match with other verification methods.

So how else can businesses cut costs if they want to keep using SMS for user verification, aside from negotiating a better rate with their provider?

One effective approach is to reduce the number of SMS messages sent by being strategic about when to trigger them. This is where techniques like device fingerprinting come into play. It allows businesses to identify trusted browsers or devices and only prompt for SMS verification when necessary.

What is device fingerprinting?

Device fingerprinting is a method for recognizing unique devices based on a combination of their characteristics, such as browser settings, operating system, screen resolution, language preferences, installed plugins, and other non-personally identifiable details. Each device has a distinctive "fingerprint" made up of these attributes, which makes it possible to identify returning users even when traditional methods like cookies aren't available or are deleted.

Unlike IP addresses, which are dynamic and easily masked by VPNs or proxies, device fingerprinting offers a more reliable and persistent way to recognize devices. It operates passively without needing to store data on the user's device and is harder to evade. It relies on a diverse set of attributes that are difficult to fake or replicate while remaining effective even as individual elements change over time.

This makes it especially effective at detecting and preventing account takeover fraud, as it can uncover patterns of suspicious behavior and attempts to disguise device identity, delivering a strong additional layer of security compared to other recognition methods. Additionally, the attributes collected for device fingerprinting can be used to detect red flags, signaling potentially risky users, such as the use of headless browsers or mismatched time zones.

How device recognition can help

Once you can reliably recognize a returning device, you can remember trusted devices without putting users through repeated security checks. This recognition brings several advantages:

• Cost savings: Recognizing a returning user's device as trusted eliminates the need to send an SMS OTP for account login, reducing the frequency of messages and lowering costs.
• Better user experience: By identifying trusted devices, legitimate users can skip OTP verification, ensuring faster access to your site or app while reducing frustration.
• Stronger security: Ensuring device consistency at login adds an additional layer of hidden verification, protecting customer accounts by making it harder for fraudsters to mimic legitimate users.
• Risk detection: Analyzing device attributes can identify suspicious or high-risk devices, allowing you to block potential threats and enhance overall account security.

Using device fingerprinting in your login flows not only cuts SMS costs but also strengthens account security and improves user experience.

High-level technical implementation

At a high level, integrating device recognition means embedding it into your login or user verification flow to identify returning users based on their device and browser characteristics.

1. Identify the user: Whether using custom-built device identification tools or a paid service, begin by gathering characteristics (such as device type, browser, IP address, etc.) and combining them to create a unique identifier.
2. Assign risk scores: For each user, assign a risk score based on current and previous device attributes and consistency in their characteristics. These factors may include data points like VPN usage, unexpected IP locations, or unusual attributes that indicate possible use of evasion tools.
3. Implement conditional verification: Skip SMS verification for users logging in from devices recognized as trusted for that account and free of risk flags. SMS verification is only triggered for new or unrecognized devices on the account or when high-risk characteristics, such as headless browser attributes, are detected during login attempts.

Stop overspending on SMS user verification

By combining SMS OTPs with a smart device recognition layer, you can balance cost efficiency, user convenience, and security. Trusted device recognition reduces the reliance on frequent SMS verification, lowering costs while maintaining strong protection.

Unlike IP addresses and cookies, which are easily altered or deleted, device fingerprinting offers a more reliable and persistent way to recognize users. While SMS alone is costly and inconvenient, and skipping verification weakens security, adding device fingerprinting reduces SMS costs, streamlines login flows, and strengthens account protection.