Hi, We are looking to implement 2FA - so that users would be sent a Verification code over their Email and SMS to their phone.
We faced some limitations with Amazon SNS where we could either send the verification code to email OR to the phone number, while we want to send it to both.
We also are looking to make the 2FA more flexible by adding any other options later on.
What are the best alternatives to SNS for this use case and purpose? Looked at Twilio but want to explore other options before making a decision.
Would be great to know what the experience with Twilio has been, especially the limitations/issues with Twilio...
Appreciate any input from users of Twilio and others who have had similar use cases.
I would recommend Twilio as well. If you're objective is to get off the ground quickly and build something that is robust without much effort, Twilio really nails the developer experience and easy of use. It's also light on any kind of set up or infrastructure as code. That said, it's a lot more expensive that AWS alternatives, so if you're operating at scale you may want to look closer at AWS options.
Hi there, Ravi! Full disclosure: I used to work for Twilio.
User experience and developer experience are the primary reasons I'd recommend Twilio. Starting with user experience:
Simplicity: There's a reason companies with great engineering talent (like Stripe and Shopify) hand off the implementation of scalable 2FA infrastructure to Twilio - it's because they see improved user conversions and experience, by leaning on the dedicated Verification team at Twilio.
Reliability: Twilio has been building out even more regionalized infrastructure the past two years for improved service reliability. The Verify service also optimizes the telecommunications providers + sending phone numbers that are used if they ever detect lower-than-usual 2FA conversion rates (if they measure that users aren't entering 2FA codes at normal rates, they automatically route traffic differently to improve and ensure messages are getting delivered).
On the topic of developer experience:
Ease of integration: I worked with customers who had MFA proofs of concept running in one afternoon. Twilio has easy-to-understand documentation and code examples to get started in a variety of languages: https://www.twilio.com/docs/verify
Extensibility: As you mentioned in your post, you're considering SMS and Email channels for MFA today, but want to keep your options open for improving security and UX. Twilio already offers additional verification channels, like Voice, in-app Push Notifications, and TOTP integrations with authenticator apps like Authy and Google Authenticator. For additional security considerations, Twilio's Lookup API v2 provides a useful database of information about users' phones, to complement your MFA implementation.
Maintainability: Twilio has a solid track record for improving its Verification & security solutions since they've launched them, and last I knew while working there, planned to continue to invest strategically in these offerings.
