Updated June 2025
Product teams still need rock‑solid security that does not damage conversion. Since the first publication of this article, TypingDNA Verify 2FA evolved into two implementation paths:
- Verify 2FA Standalone – the drop‑in snippet discussed throughout the original post.
- Verify 2FA OIDC – an official, standards‑based factor that plugs straight into Okta, PingOne DaVinci, ForgeRock, Keycloak, Auth0, Microsoft Entra ID, or any OIDC‑compatible IAM.
Both flavors share the same advantages already described below (AI‑powered typing biometrics, no codes, no phones) but the OIDC connector makes enterprise roll‑outs even faster and removes custom backend work.
Passwords have been used with computing systems since 1961, when the first password login was implemented. However, the increased number of security attacks had led to the need for two-factor authentication, a service known to have been first introduced in 1995 when AT&T’s patent was issued.
Today, balancing security, user experience, and budgets is one of the biggest challenges for product creators. Enhanced account security is not enough in developing apps used by millions of users. This article aims to help product managers on the quest to offer the best user journeys coupled with a budget-friendly authentication. Our SMS 2FA alternative: TypingDNA Verify 2FA (Standalone or OIDC).
SMS authentication service overview
What is SMS two‑factor authentication service?
SMS two‑factor authentication is a possession factor that verifies identity, grants account access, or confirms transactions by sending a one‑time code to a phone.
A 2FA or MFA solution can contain:
- Possession factors – owning a phone or a hardware token.
- Inherence factors – typing biometrics, retina scan, fingerprint.
- Knowledge factors – passwords, secrets, PINs.
[2025 note]: Possession factors that rely on personal devices (phones or SIM cards) introduce carrier fees, SIM swap risk, and compliance headaches for Bring Your Own Device (BYOD) policies. Many organizations are increasingly switching to phone-less alternatives such as software based behavioral biometrics (TypingDNA Verify 2FA), hardware tokens (Yubikey), or even smartcards.
SMS authentication service as a second factor
SMS OTP grew popular once most users owned phones. Tech giants such as Google, Twitter, and Facebook offered it because it was easy to deploy, not because it was secure or cheap.
SMS authentication code
One‑time passwords (OTP) delivered over SMS expire quickly, but attackers do not need much time. SIM‑swap services available on the dark web promise takeover within minutes and cost as little as 15 USD.
SMS authentication online
Free online SMS inboxes circumvent phone ownership entirely. They make SMS OTP almost worthless for high value accounts, because any attacker can read the code.
Free SMS authentication
Temporary numbers remove the telecom cost but amplify the security problem – the messages are public.
[2025 note]: These realities force most enterprises to treat SMS OTP as a last resort or “backup only” factor rather than the primary path.
2FA options
When selecting factors, adoption and risk tolerance are both important. SMS OTP remains familiar – more than 60 percent of users worldwide have tried it – but that familiarity hides severe downsides:
- Carrier fees scale linearly with every login or sensitive action.
- Delivery rates vary by geography and are impossible to guarantee.
- SIM swap and phishing kits can capture codes in real time.
Our solution, TypingDNA Verify 2FA avoids all three issues because the factor is bound to how a user types, not to a phone they might lose or replace.
2FA options: SMS, Hardware, or Email authentication
Hardware tokens (FIDO2, U2F) eliminate the phone problem but create others: high procurement costs, user confusion around USB‑C vs USB‑A vs NFC, and a painful recovery flow if the key is lost.
Email OTP is budget friendly but ties the second factor to the first, effectively acting as “1FA”; compromise the inbox and both layers fall. It also assumes the user can reach email on the same device or an adjacent one, which is not always true on mobile.
[2025 note]: TypingDNA Verify 2FA works everywhere a user can type, with no hardware, no codes, and no second screen.
2FA enabled vs. enforced
Requiring a two-step verification option is now the standard. The difference between enabling 2FA and enforcing 2FA relies on the conditional access policies that might affect your users. When enabling 2FA, users will perform two-step verification every time they sign in. After their enrollment, users will also have to register the next time they sign in but are not conditioned by this step.
With 2FA enforcement, you will allow access for your users only after completing a registration process that is not optional. In this case, users will only be able to log in after completing the mandatory two-step verification. Some services offer the possibility to create conditional access policies that apply to groups and individual users.
2FA email vs. SMS
2FA email comes with a series of benefits for the users. The first one is the familiar data requirement; most users already use email addresses to sign up for a service or reset passwords. The ease of the onboarding process comes next: since users don’t need to download a specific app or go through the configuration of a setup, they just have to access their email. Another advantage is the privacy concern; users don’t associate other personally identifiable information like their phone number limiting the data they transfer to a service provider.
Still, 2FA with email has its flaws. Email addresses are also used to change passwords, so compromising the first factor in a 2FA email setup will also compromise the second factor. Once attackers gain access to your email inbox, they can take over the entire account and your email OTPs.
SMS 2FA proves to be a more secure authentication setup than email-based 2FA. Also, it can add protection to any account, including emails. Research from Google shows that adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during their investigation.
Google’s stance
Google enabled 2‑Step Verification for all consumer accounts by default in 2022, and SMS OTP is still the main method, however Google Workspace domains are encouraged to adopt security keys or passkeys instead of SMS OTP.
SMS 2FA alternatives
The digital world needs better SMS 2FA alternatives, especially since recently shown vulnerabilities in various contexts are on the rise. SMS 2FA is insecure due to the following vulnerabilities:
SIM swapping (bad actors contact a phone company and (using the personal information they have collected about a target, like an SSN) request that a number be transferred to another phone),
SIM hacking (malicious actors can spoof cell phone tower signals and SS7 systems and access information contained in private messages),
Synced devices (synced devices allow access from multiple smartphones, laptops, tablets, and wearables)
Social engineering attacks (attempts to convince targets to unknowingly hand over their personal information and passwords—including SMS codes).
PCI DSS v4.0 and NIST SP 800‑63B explicitly label SMS OTP as “not recommended” for privileged or high‑risk actions.
New legislation in several US states now classifies phone‑centric OTP as “restricted” when a high‑assurance identity check is required (for example, finance or healthcare apps).
Better alternatives to SMS 2FA
In the past years, account security alternatives have diversified. For example, the alternatives to SMS 2FA include biometrics-based authentication factors like typing biometrics, 2FA apps, or hardware-based 2FA.
Typing biometrics as part of a 2FA/MFA setup
Typing biometrics is an emerging technology facilitated by the progress in AI and computational power. As part of an authentication process with typing biometrics, the initial enrollment captures the typing pattern created based on how individuals type on their keyboards and attribute it to the user. Every time a new authentication is made, the new typing pattern is verified against an initial recording, and if the match is successful, the user is logged in. Combined with other factors, a typing biometrics-based 2FA implementation is the new norm in avoiding unsecure and costly tokens, long login times, or a cumbersome user experience.
2FA Apps
Typically, authenticator apps must be installed on a smart device. They will generate a passcode that can be used for logging in, transaction confirmation, or act as a master key. Besides the obvious downside that users will need to install new software on their devices, another disadvantage is that for every account that the user owns, further action needs to be set up separately, adding friction to the authentication process. Keep in mind that this technology is not only offering a cumbersome user experience, but its adoption rate is still very low.
Hardware 2FA
Unfortunately, hardware 2FA solutions don’t see a high adoption rate. One main reason is the costs associated with the hardware devices, ranging from $15 to upwards of $50. The accessibility of a physical security key (or U2F) is also hindered by the USB connection that that individual must have. An NFC version is available for smartphones, but losing such a device will cause a tedious re-authentication for all accounts with a new key. Although most hardware 2FA devices are FIDO-certified and guarantee higher account security, drawbacks, such a price or bad user experience cannot be disregarded.
Is SMS 2FA worse than no 2FA?
No. According to any security audit, SMS 2FA is still better than using just one factor like pairing email address and password. Breaching a password through brute force attacks is even easier now with increased computing powers. One example is credential stuffing, a form of cyberattack in which a list of credentials obtained from a data spill becomes available for sale or free download. Adding a second factor like SMS 2FA drastically increases account security, making attackers work harder to access your data.
[2025 note]: For any organisation with a moderate risk profile, moving from SMS to TypingDNA Verify 2FA or FIDO2 keys is no longer optional; it is table stakes.
What makes a great two-factor authentication (2FA)?
A great alternative to SMS two-factor authentication comes, as shown above, in many products and methods. Still, product managers will want to choose the 2FA option that is:
- Focused on user experience
- Budget-friendly, especially for services with high-frequency authentications needs
- Fast and easy to implement
- Phone-free
- Scalable
User experience and 2FA
At TypingDNA, we genuinely believe user experience is an integral part of any great two-factor authentication setup. Although SMS 2FA has proven to be the go-to authentication for the past decades, forward-thinking product managers will assess more user-friendly authentication solutions keeping user experience at the core of their products. As shown by the biggest disruptors in almost any industry ranging from Airbnb to Google or services like Uber, stellar user journeys come first.
Customers have high expectations towards their digital product journeys expecting fast services and flawless processes while solving their needs. Any good product will start with simplified and secure authentication methods. The choice for the best second authentication factor must respond to your user base and their needs being user-friendly and easy to adopt.
Why TypingDNA Verify 2FA is a UX-first authentication solution
In a nutshell, TypingDNA Verify 2FA uses our proprietary typing biometrics authentication technology to verify a user’s identity. Users type four words specifically chosen by our AI engine to enable higher matching accuracy on much shorter texts. The four words are of high complexity regarding the number of different characters, the way they are dispersed throughout the keyboard layout, the vertical and horizontal travel, so we can understand the unique typing pattern of a user. After typing the four words, the typing patterns are matched to authenticate users in your desired application. Users don’t have to switch devices or input specific OTP sent via email or SMS, making authentication seamless.
To serve different needs, TypingDNA Verify 2FA has two major variants:
- Standalone/Standard: Created to use the classic authentication methods such as SMS or email OTP only as fallback methods in a RoT(Root of Trust) system. It does not depend on any other RoT, and can be deployed directly into user journeys.
- OIDC: Factor only IdP/EAM integration available for major IAMs such as Okta, Ping Identity, ForgeRock, Microsoft Entra ID, Keycloak, and other.
Budget-friendly 2FA
After addressing the need for a better user experience, product managers will also want to adopt authentication methods to meet their budgets.
SMS 2FA is a scalable solution that can respond to an increased number of users. But with high authentication volumes, the associated costs will also rise. Sending an OTP code via SMS is indeed the norm. But, what if you could reduce the SMS OTP costs to as low as 10% of what your company usually pays? TypingDNA Verify 2FA was developed as an alternative to classic 2FA, focusing not only on UX but also budget.
By using TypingDNA Verify 2FA, companies can drastically reduce their SMS 2FA costs. Particularly, an extreme cost-cut example includes companies with an increased number of authentications for users in EU, South America, or China.
While our solution starts at $1/user/month for high frequency use cases (workforce authentication), we make significant discounts for low frequency – high volume use cases (customer authentication) – depending on volume this use case can get as low as 10x cheapper.
Fast 2FA integration in under 10 minutes
Yes, it’s possible to have your 2FA set up in under ten minutes, even without an existing IAM provider.
To try the TypingDNA Verify 2FA solution yourself, sign up here or try our live demo.
Your first 100 users are free with our Starter plan. No credit card required.
If yIf you’re considering deploying TypingDNA Verify 2FA in your products or organization, reach out to us for a tailored quote and integration guidance.