Skip to main content

Sending OTP via SMS

Updated yesterday

Essential Security Recommendations

It's crucial to implement safeguards to prevent your One-Time Password (OTP) or Two-Factor Authentication (2FA) services from causing an unexpected surge in SMS requests.

A publicly-facing phone number input field is a primary target for SMS Pumping, a type of fraud where attackers intentionally generate a high volume of SMS requests. This can lead to significant, unexpected charges for your business, as mobile carriers bill for every message sent through the network.

We strongly advise you to familiarize yourself with related threats, such as SMS Pumping, SMS Fraud, and International Revenue Sharing Fraud (IRSF), to fully understand the risks.

When building or integrating a 2FA or OTP service, we strongly recommend implementing all, if not a combination of these security measures to protect your platform:

Recommendation

Description

Review Global Sending

Navigate to Global Sending, here

Confirm the countries you have enabled are the only countries you wish for SMS Outbound traffic to be sent to

Learn more about Global Sending, here

Implement Rate Limiting

Use a multi-layered "bucket" approach for more effective rate limiting by combining several identifiers.

  • Go beyond IP address limiting, as it is easily bypassed with VPNs. Instead, tie limits to a unique identifier like an email + phone number combination.

  • Implement device fingerprinting to identify a user's unique device, blocking them even if they change their IP address or account.

  • Add time-based throttling by setting a maximum number of OTPs per minute or by temporarily blocking users after too many failed attempts to prevent abuse.

Introduce Request Delays

Enforce a "cool-down" period between consecutive requests from the same phone number, such as allowing only one request every 90 seconds.

Set Up Monitoring & Alerts

Create automated alerts to notify you of unusual spikes in SMS traffic or high-velocity requests originating from specific regions or IP ranges.

Establish Usage Thresholds

Define clear usage limits and automatically apply cutoffs once those thresholds are met. This acts as a critical backstop to prevent runaway costs.

Consider Regional Rules

Be aware that fraud patterns and numbering plans vary by country. Your security logic may need to be adapted for different regions.

Consult a Security Expert

If you are unsure about the best implementation for your use case, consult with a security professional to review your architecture.

How to send a OTP via SMS

You can use ClickSend to setup 2 Factor Authentication for your App/website. To do this:

  1. Generate the OTP in your code e.g. "1234" and store it (in a database on your server).

  2. Call our POST sms/send endpoint.

  3. Allow the user to input the OTP.

  4. Your script should validate it against the stored OTP.

It's recommended that you put in limits for the maximum times a user can send a OTP and also how many times they can attempt to guess the OTP.

Related Articles
Introduction to Global Sending
Our Sending Guidelines
Guide to Alpha Tags
SMS Number Porting Guide
What are the one-way and two-way SMS capabilities for various countries on ClickSend?
Did this answer your question?