That six-digit code that shows up on your phone — how it actually works
You log into your bank, type your password, and within three seconds a text message arrives with a six-digit code. Type the code, you're in. That's OTP — One Time Password — the second layer of authentication (2FA) that's become the global standard.
Behind those three seconds sits infrastructure that has to hit 99.95%+ reliability. Because when a customer doesn't get the code, they don't log in. When they don't log in, they don't buy. When they don't buy, the revenue evaporates. This article lays out how to build an OTP system that actually works.
Why SMS specifically — and not an app
There are other authentication methods: Google Authenticator, Authy, Microsoft Authenticator, biometrics. All of them are more secure than SMS. And yet SMS stays the most popular choice in Israel and worldwide. Why?
• No app required: Every phone receives SMS. Old Nokia, new iPhone, any Android — they all get it.
• No onboarding: The customer doesn't need to install, register, or approve anything. They already have the phone and the number.
• No access loss: Switched phones? You ported your number. An authenticator app can disappear with a lost device.
• Familiar standard: Customers recognize it from banks, insurance, and government sites. No explanation needed.
The real-world choice is between "maximum security" (authenticator app, which locks out some customers) and "good-enough security with access for everyone" (SMS). Outside of banks, most businesses go with SMS.
Common use cases
1. Account login
Customer enters password → system sends code via SMS → customer types code → they're in.
This protects accounts when a password leaks. Even if an attacker knows the password, they don't get the code unless they also stole the phone.
2. Approving sensitive actions
Bank transfer, changing personal details, deleting an account. Even a logged-in user needs to confirm with an additional code.
3. New account signup
To prevent spam and bots, a code is sent during signup to verify the number. Only someone who actually has the phone can complete registration.
4. Password reset
Forgot your password? Get a code via SMS, type it, set a new one. A fast alternative to emails that sometimes get delayed.
5. Authenticating a first login from a new device
User normally logs in from their phone, and suddenly logs in from an unfamiliar computer? The system notices and requires additional verification.
Requirements of a proper OTP system
Delivery speed
95% of messages need to arrive within 5 seconds. Beyond that, customers start assuming "something's broken" and take alternate actions (hitting reset again, trying a different flow).
Delivery reliability
99.9%+ delivery rate. Every 0.1% of failures = a user who can't log in. If you serve 100,000 logins a day, that's 100 users a day unable to get in.
How do you measure it? Detailed delivery reports. We covered this in the guide to SMS delivery reports.
Automatic fallback
If the SMS doesn't land within 30 seconds, the system should retry through an alternate provider. If that fails too, there should be additional options: an automated phone call that reads the code aloud, email, or even WhatsApp.
International support
If you have users overseas, the system has to support global sending. Good SMS providers route automatically through the right carrier for each country.
Limited validity window
A code valid for 10+ minutes is a security problem. A code valid for 30 seconds is a usability problem (not enough time to type). Industry standard: 5 minutes.
Attempt limits
After 3–5 wrong attempts, the system needs to lock the flow and require additional action. Otherwise you're inviting brute force.
Security — the threats and how to handle them
SIM swapping
The most common attack against SMS OTP. The attacker convinces the cellular carrier to port the victim's number to a SIM card they control. Then every OTP goes to them.
What do you do? For large financial transactions, SMS alone isn't enough — you need another factor (biometrics, a human agent calling to confirm). For most use cases, SMS is fine — the risk is low and the attack is expensive to pull off.
Phishing
An attacker sends a fake email/message asking for the code. The victim forwards it, and the attacker gets in.
Defense: the message text itself. Put "Do not share this code with anyone — not even a company representative" at the bottom of every OTP message.
Interception
Historically SS7 (the telephony protocol) was vulnerable to interception. It's less so today, but still not bulletproof. That's why SMS alone isn't enough for major banks.
OTP message text — what to include
Examples of good phrasing:
"Your verification code: 847291. Valid for 5 minutes. Do not share with anyone."
"[Company]: Login code 394820. Valid until 17:45. If you didn't request this, ignore."
What to include:
• The code itself (clear, separated)
• Validity window
• Company name (identification)
• Warning about sharing
What not to include:
• Links (invites phishing)
• Account details
• Personal names
A dedicated Sender ID for OTP
Sophisticated businesses use a separate Sender ID per message type:
• "BankName" — for general messages
• "BankAuth" — for OTP only
• "BankInfo" — for info updates
The customer sees the difference in real time and knows a message from "BankAuth" is authentic. We covered Sender IDs in the Sender ID guide.
API — wiring your system in
OTP via SMS isn't a dashboard click — it's a code integration. Your system (web, app, server) calls your SMS provider's API:
const response = await fetch('https://api.vibrate.co.il/v1/sms/send', {
method: 'POST',
headers: {
'Authorization': 'Bearer YOUR_API_KEY',
'Content-Type': 'application/json'
},
body: JSON.stringify({
to: '+972501234567',
message: 'Verification code: 847291. Valid for 5 minutes.',
sender: 'MyApp',
priority: 'high'
})
});What matters in an OTP API:
• priority=high parameter — so the message gets priority routing
• Immediate response — your system needs to know within 200ms whether the send succeeded
• Status webhook — to know whether the message was delivered or failed
More on API integration in the SMS guide for tech companies.
OTP pricing
OTP pricing is similar to regular SMS: 4–7 agorot per message in Israel. For a company with 10,000 logins a month, that's ₪400–700. Relative to the value — account protection, fraud prevention — that's a minor investment.
Companies with large volume get tiered pricing:
• 10,000–50,000 OTPs/month: 4–5 agorot
• 50,000–200,000: 3.5–4.5 agorot
• Over 200,000: 3–4 agorot
More on scale pricing in the guide to bulk SMS sending.
Rate limiting — protection against attacks and mistakes
A big enemy of OTP systems: a user or bot sending OTP requests over and over. Every send costs money, and in bad cases it becomes a DDoS.
Basic rate limit:
• Max 3 OTP requests from the same user within 5 minutes
• Max 10 OTP requests from the same IP within an hour
• Max 30 OTP requests to the same phone number within a day
Anyone who crosses the threshold gets a CAPTCHA or a temporary block.
SLA metrics a serious business should demand
• Uptime: 99.95% (under 22 minutes of downtime per month)
• Latency: 95% delivery within 5 seconds, 99% within 30 seconds
• Delivery rate: 99.5%+ in Israel
• Support: 24/7 technical support with under-an-hour response time
• Failover: If one provider drops, automatic failover to a backup within seconds
Beyond SMS — WhatsApp OTP
WhatsApp Business also offers OTP, at similar cost. Advantage: nicer UX (message with your logo). Disadvantage: requires the customer to have WhatsApp. The grown-up solution: a system that tries WhatsApp first, and falls back to SMS if it fails.
The full comparison is in WhatsApp Business vs SMS.
Infrastructure that holds under pressure
Vibrate provides dedicated OTP infrastructure: priority routing, automatic failover, built-in rate limiting, real-time delivery reports, and a 99.95% SLA. Documented API, SDKs for Node.js, Python, PHP, .NET. Start free with 100 OTP messages for testing.
Ready to get started?
Start your journey with the most advanced platform for sending SMS messages
Start your free trial
