How to combine SMS, Email and Voice for multi-factor authentication (MFA)
Bird
Jul 12, 2021
Authentication
1 min read
Key Takeaways
Passwords alone no longer provide sufficient protection — 80% of data breaches stem from weak, reused, or stolen passwords.
SMS-based authentication is widely adopted due to its ease of use, global reach, and ability to block bots, bulk phishing, and most targeted attacks.
Despite its strength, SMS alone is not enough; combining SMS, Email, and Voice creates a more secure, resilient MFA strategy.
MFA can block 99% of breaches, making it one of the highest-impact, lowest-cost security upgrades for any business.
Each authentication channel serves different use cases:
SMS: best for mobile apps, account creation, logins, and transactions
Email: best for web flows, updates, non-urgent verification
Voice: useful for accessibility and high-security or time-sensitive verifications
Businesses should design MFA around use case, customer preferences, reasons for verification, and pricing considerations.
Conversion rate varies by channel — SMS typically performs best, but logs and analytics reveal true audience preferences.
Email is useful in regions where SIM swapping is prevalent, and as a backup during SMS delivery issues.
Voice serves as a strong fallback for critical actions where SMS may fail.
Multi-channel MFA improves conversion rates, blocks more breaches, and verifies more real users.
Bird’s Verify API supports MFA across SMS, Email, and Voice with enterprise-grade security (ISO 27001, GDPR, PSD2) and encrypted, direct-to-carrier connections.
Bird offers 250+ carrier connections, 140 countries for local numbers, success-based pricing, and dedicated MFA support.
Q&A Highlights
Why isn’t a password alone enough for authentication?
Because weak, reused, or stolen passwords account for the majority of data breaches.
What makes SMS authentication so popular?
It’s fast, global, easy to implement, familiar to users, and blocks a large percentage of common attacks.
What is multi-factor authentication (MFA)?
A layered verification method that uses two or more channels—like SMS, Email, and Voice—to confirm a user’s identity.
How does MFA improve security?
It dramatically reduces fraud risk by requiring attackers to compromise multiple independent factors.
When should SMS be used for verification?
During account creation, logins, transactions, and mobile-first flows.
When is Email a better choice?
For web flows, account updates, or when users don’t have their mobile device nearby.
How does Voice fit into MFA?
It’s useful for high-urgency cases, accessibility needs, and as a backup when SMS delivery is unreliable.
What factors should a business consider when choosing an MFA channel?
Use case, user preferences, regulatory requirements, and cost per destination.
Why is user preference important for MFA?
It affects conversion rates — customers are more likely to complete verification using their preferred channel.
How does pricing influence MFA strategy?
SMS pricing varies by country, so combining channels can help reduce costs while maximizing security.
Does combining channels improve security?
Yes — using SMS, Email, and Voice together significantly increases protection and reduces fraud.
How does Bird support MFA?
Through the Verify API, which provides secure SMS, Email, and Voice verification backed by global carrier connections, compliance, and success-based pricing.
Verification requires more than a password
When it comes to authentication, passwords alone aren’t enough to keep your business and customers secure.
Industry standards and regulations today require your business to establish security mechanisms that protect user data and accounts.
80% of known data breaches are due to weak, reused or stolen credentials (Last Pass)
You’ve adopted an SMS authentication process — the most common, easiest and quickest verification method to implement and distribute to users worldwide.
For end-users, SMS authentications provide quick, seamless experiences to verify their account. Customers and employees alike have grown accustomed to using SMS authentications across the customer journey to:
create an account
log in
complete transactions
make changes to their account
While SMS-based authentication can block 100% of automated bots, 96% of bulk phishing attacks and 76% of targeted attacks (Google), multi-factor (multi-channel) authentication will strengthen the security across the customer journey to improve conversion rates, prevent fraud and protect your users.
Take your verifications to the next level with multi-factor authentication (MFA).
Enable a strong multi-factor authentication (MFA) with SMS, Email and Voice to add a layer of protection
How to use multi-factor authentication to verify your customers
There are multiple elements that must be considered when selecting a channel for MFA: use case, user preferences, reasons for verification and pricing.
Use case
Things to consider:
What moment of the user journey do you need to verify the identity of your users? Is that transaction critical?
Is it time sensitive?
Does your user have more time to perform that specific transaction for example like in contact updates?
Can it be done from any device?
Best practices:
Look for variation across the user journey. Users prefer SMS for mobile applications. Email is normally more user-friendly for web applications or when users don’t have their phone nearby. We suggest testing the following combinations:
Account creation and verification: SMS and Email
Logins: SMS, Voice and Email
Transactions: SMS and Voice
Contact updates: Email
User preferences
Things to consider:
What is your customer’s preferred way of authentication on your platform?
Which channel has the highest conversion rate?
Does the conversion rate change at different points in the customer journey?
Best practices:
Our data says SMS is still the preferred way to receive OTP codes. However, the proper way to understand what the preferred way of authentication is for each customer is to analyze your performance reporting and logs.
Reason(s) for verification
Things to consider:
Are you trying to comply with certain standards or regulations?
Are you trying to protect users' data?
Are you trying to prevent fraud and get a more robust secure solution?
Best practices:
Most likely all of them, but identifying these reasons will allow you to define the MFA strategy that best fits your needs. For example, SMS remains secure and compliant in most places but if SIM swapping is common in your destinations, email should be considered.
Price
Things to consider:
Sending OTPs are priced per transaction and it varies depending on the destination — some countries are more expensive than others.
Best practices:
Explore the pricing in each destination you are sending. The right provider will help you understand the best price per channel, destination and use case. Plus, it will allow you to only pay for successful authentications to ensure you get the best ROI.
The key is to leverage Email and Voice to improve SMS and vice versa for your authentication process.
Combining these channels will establish a more complete authentication solution for your business:
Improved conversion rates
More breaches blocked
More real user verified
Verify API with Bird means MFA optimized for security, speed and cost
Supporting your MFA authentication is easy with Bird's Verify API.
Bird’s multi-factor authentication platform connects you to enterprise-grade security, compliant worldwide.
Bird is 27001:2013 certified, GDPR and PSD2 compliant. Plus, all data is encrypted at REST and in transit — with direct, encrypted end-to-end SMS connections.
On top of its security, Bird’s SMS platform gives you best-in-class deliverability. Whether you’re sending hundreds or millions of codes, our infrastructure has 250+ direct-to-carrier connections to ensure your SMS is delivered fast and reliably around the world.
Bird’s Email platform powered by SparkPost also connects you to industry-leading security and deliverability trusted to optimally deliver 40% of all commercial emails — that always uses DKIM, SPF and DMARC protocols.
For Voice, Bird’s direct access to over 250 global telcos means your authentication messages are optimized for security and speed.
Use our Numbers API to programmatically buy and use local numbers in 140 countries — to easily deploy cost-effective verification where needed.
Bird’s Verify API paired with our powerful global infrastructure and dedicated MFA support means you can continually optimize your authentication process.
