2-factor authentication via messaging apps vs SMS authentication

2FA Chatbots vs. SMS Authentication

In this article, we’ll explain what is a bot for two-factor authentication and how 2FA chatbots (two-factor authentication with messaging service chatbots) work. We’ll look at the pros and cons of this one-time password delivery method and figure out which is best: 2FA bots or SMS authentication.

How did the Protectimus Bot token come to be?

One of our clients (a payment system with 2,000,000 active users) was spending about $30,000 per month on SMS delivery. They were using SMS to send out one-time passwords and system notifications (withdrawals and deposit notifications, informational messages, etc.).

How does two-factor authentication with chatbots work?

Currently, the ProtectimusBot chatbot is available on three messaging services:

  1. Request their unique ID using the /getid command.
  2. Input the ID they receive into the system they wish to protect.
  3. Then, the Protectimus two-factor authentication service will create a token and send it to the user via the 2FA chatbot.
  4. The user confirms that they received the one-time password by inputting it into the appropriate field. This also completes the token issuing process.

2FA chatbots vs. SMS authentication

2FA chatbots: the pros and cons


  1. The Protectimus Bot 2FA chatbot allows you to deliver both one-time passwords as well as other messages and notifications.
  2. Messages on these messaging services are transmitted in an encrypted form, Telegram is almost the best messaging app when it comes to security. If someone intercepts a one-time password, they won’t be able to decrypt it.
  3. Passwords are used to protect access to the messaging services over which OTPs are delivered. Additionally, access to messaging services can also be protected using two-factor authentication.
  4. If someone attempts to log in to your account, you will immediately receive a notification.
  5. Messages aren’t delivered over cellular networks. That means that GSM network vulnerabilities can’t be used to intercept one-time passwords.
  6. We also have yet to hear of any virus that can extract one-time passwords from messaging apps. On the other hand, viruses that extract OTPs from SMS messages are plentiful.
  7. The Protectimus Bot token can also be used outside of areas with cellular network coverage as long as internet access is available.
  8. Users don’t need to install another app or buy two-factor authentication hardware tokens. One of these messaging apps is already installed on 99% of users’ phones.
  9. Chatbots for two-factor authentication can even be used when you don’t have access to your phone — there are web-based versions of Telegram, Viber, and Facebook Messenger.
  1. It’s possible to log in to messaging services from several devices and forget to log out, leaving multiple sessions active at once. For example, while writing this article, I have three active Telegram sessions: one on my smartphone, one on my work computer, and one on my laptop at home.
  2. To issue a token, users need to add the ProtectimusBot chatbot themselves.

SMS authentication: pros and cons


  1. SMS authentication is also well suited to users of feature phones with a traditional keypad, who simply cannot install apps on their phones. This can also be considered an advantage.
  2. Besides, just like Protectimus Bot, Protectimus SMS tokens support CWYS (Confirm What You See) data signing functionality.
  1. A one-time password can be intercepted directly on the user’s device by a virus.
  2. Attackers may request a replacement SIM card in order to gain access to a victim’s telephone number.
  3. Employees of an SMS service operator are often involved in such schemes.
  4. If a subscriber is located outside the network’s service area, they won’t receive an OTP.
  5. Companies spend hundreds of thousands of dollars paying for SMS delivery.

In summary: 3 reasons to stop using SMS authentication and start using 2FA chatbots

Each approach to two-factor authentication has its strengths and weaknesses. However, after comparing SMS authentication to chatbot-based delivery of one-time passwords, we can clearly see that Protectimus Bot tokens win on every count:

  1. Security. Multi-factor authentication using Telegram, Viber, and Facebook Messenger 2FA chatbots is many times more secure.
  2. Convenience. 2FA using messaging apps is no less convenient than SMS authentication and is even more convenient in some situations (for example, when using roaming).

Two-factor authentication solutions for business. Secure your organization’s and user’s data with MFA: https://www.protectimus.com/