If your application requires sending One-Time Passcodes (OTPs) for password resets or 2FA, how you deliver that code matters. Sending it insecurely defeats the purpose of the authentication check entirely.
The problem with SMS OTPs
For years, sending a 6-digit code via SMS text message was the standard. However, the National Institute of Standards and Technology (NIST) has deprecated SMS-based 2FA.
Why? SS7 network vulnerabilities allow messages to be intercepted, and SIM-swapping attacks let hackers route your users' text messages to their own phones.
Secure alternatives to SMS
1. Authenticator Apps (TOTP)
Instead of sending a code, the user's device generates it using a shared secret. This is highly secure as the secret never travels across the network after initial setup.
2. Email OTPs (With caveats)
Email can be intercepted if TLS is not enforced, but it is generally considered safer than SMS if the user's email account is protected by hardware 2FA.
3. Encrypted Magic Links
Instead of an OTP, send a specialized encrypted link (similar to PassLink architecture) that authenticates the user upon click.
Best practices when sending an OTP
- Always enforce a short expiration window (5-10 minutes max).
- Rate limit the OTP generation endpoint to prevent SMS pumping/toll fraud.
- Never include the user's password or sensitive PII in the same message as the OTP.
Sharing TOTP Setup Keys
When setting up an authenticator app for a shared corporate account, you often need to share the QR code or the base32 secret. Never send this over Slack. Use PassLink to generate a self-destructing link for the TOTP secret.
Try PassLink β It's Free
Create an encrypted, self-destructing link in 10 seconds. No signup required.
Create a Secret Link Now