Are one time passwords better than one time links for deliverability?

Summary

The deliverability of one-time passwords (OTPs) versus one-time links isn't significantly different. Core deliverability practices, like sender reputation, proper authentication (SPF, DKIM, DMARC), list hygiene, and avoiding spam triggers, are paramount. While SMS OTPs offer immediacy, SMS deliverability depends on phone number validity and carrier filtering. Both methods have security vulnerabilities: SMS and email OTPs can be intercepted, while one-time links are also susceptible. Accurate tracking metrics are essential and should be interpreted with caution; relying solely on clicks and open rates can be misleading. Security measures, regulatory compliance, user experience, and cost must be considered when choosing a delivery method. The adoption of standards like TOTP aids in security. Alternatives such as authenticator apps provide heightened security.

Key findings

  • No Major Deliverability Difference: No significant difference exists in deliverability between OTPs and one-time links; core email deliverability practices dictate success.
  • SMS OTP Characteristics: SMS OTPs offer immediacy, but SMS deliverability depends on phone number validity and carrier filtering.
  • Security Risks: Both SMS/email OTPs and one-time links are vulnerable to interception; security is a crucial factor to assess.
  • Tracking Limitations: Tracking metrics must be approached carefully; clicks and open rates don't always represent deliverability accurately.
  • Authentication importance: Authentication and lifecycle management of applications improves security

Key considerations

  • Security Trade-offs: Consider security vulnerabilities for each delivery method (SMS/email vs. one-time links), especially against phishing or man-in-the-middle attacks.
  • User Experience/Access: Evaluate user experience with the chosen method (e.g., authenticator app ease, SMS access), considering cost and user convenience.
  • Compliance & Regulation: Ensure compliance with SMS regulations and obtain user consent when using SMS for OTP delivery.
  • Alternative Methods: Consider more robust authentication methods like authenticator apps or hardware tokens for high-security applications.
  • Bulk Email Standards: Follow best practices for bulk email senders to ensure emails reach inboxes.

What email marketers say
9Marketer opinions

While OTPs delivered via SMS can be effective due to immediacy, email deliverability for both OTPs and one-time links hinges on sender reputation, authentication (SPF, DKIM, DMARC), list hygiene, and engagement. SMS deliverability is also affected by carrier filtering and content compliance. Both methods have vulnerabilities: SMS and email OTPs are susceptible to interception and phishing, while one-time links can be intercepted. The choice depends on security needs, user experience, cost, and regulatory compliance. Stronger authentication methods may be needed for higher security.

Key opinions

  • Sender Reputation Matters: A good sender reputation, achieved through proper authentication, list hygiene, and engagement, is crucial for email deliverability, affecting both OTPs and one-time links.
  • SMS is Immediate but Regulated: SMS OTPs offer immediacy and high open rates but require compliance with SMS regulations and user consent.
  • Security Vulnerabilities Exist: Both SMS/email OTPs and one-time links are vulnerable to different types of attacks. SMS is vulnerable to sim swapping, while email can be vulnerable to phishing attacks.
  • Alternatives Exist: Authenticator apps and hardware tokens are more secure OTP delivery options but may require more effort from users.

Key considerations

  • Security Needs: Evaluate the level of security required for the application. For sensitive transactions, consider stronger authentication methods than SMS or email OTPs.
  • User Experience: Balance security with user convenience. Consider the ease of use for the selected OTP delivery method.
  • Cost: Evaluate the cost of different OTP delivery methods. SMS can be more expensive than email or authenticator apps.
  • Regulatory Compliance: Comply with SMS regulations and obtain user consent before sending OTPs via SMS.
Marketer view

Email marketer from Mailjet shares that delivering one-time passwords (OTPs) via SMS can be highly effective due to the immediacy and high open rates of text messages. However, it's essential to comply with SMS regulations, obtain user consent, and optimize message content for mobile devices to ensure successful delivery and a positive user experience.

July 2024 - Mailjet
Marketer view

Email marketer from StackOverflow user user12345 points out that OTPs delivered via SMS or email are susceptible to man-in-the-middle attacks. While HTTPS helps protect against eavesdropping, it doesn't prevent phishing or SIM swapping. Stronger authentication methods, such as hardware tokens or biometrics, may be necessary for high-security applications.

June 2023 - Stack Overflow

What the experts say
6Expert opinions

Experts indicate that deliverability is not significantly different between one-time passwords (OTPs) and one-time links. Mailbox providers track opens via analytics, not just images, and often don't track clicks. Tracking clicks and open rates may not accurately represent deliverability. It's also noted that URL shorteners should be avoided in email marketing due to their association with spam.

Key opinions

  • No Deliverability Difference: There is no significant deliverability difference between OTPs and one-time links.
  • Open Tracking: Mailbox providers use analytics, not just images, to track email opens.
  • Click Tracking Limitations: Most mailbox providers aren’t tracking clicks, either, so these metrics are more for senders.
  • Inaccurate Metrics: Tracking clicks and open rates does not accurately represent deliverability or receipt.
  • Avoid URL Shorteners: URL shorteners can negatively impact deliverability because they are often used by spammers.

Key considerations

  • Focus on Core Deliverability Practices: Instead of focusing on whether to use OTPs vs One Time Links focus on aspects like sender reputation and proper authentication.
  • Data Privacy: Be aware that some mailbox providers may track mouse movements and other user behavior.
  • Monitoring Alternatives: Consider tracking alternatives to clicks and opens, such as conversions or other engagement metrics.
Expert view

Expert from Word to the Wise explains that tracking clicks and open rates does not always accurately represent deliverability or receipt.

August 2022 - Word to the Wise
Expert view

Expert from Email Geeks explains that mailbox providers that track whether or not an email is opened do not use images to track the open and in terms of deliverability, there is zero difference between one time passwords and one time links (most places aren’t tracking clicks, either). Senders track open and clicks because that’s all they have access to.

January 2023 - Email Geeks

What the documentation says
4Technical articles

Documentation suggests that OTPs are generally reliable due to their transactional nature, but SMS deliverability is influenced by phone number validity and carrier filtering. Authentication and lifecycle management are important to security. Standards like TOTP promote compatibility. Following best practices for bulk email senders, like SPF, DKIM, DMARC, low spam rates, and easy unsubscribe options, helps ensure email delivery.

Key findings

  • OTPs Generally Reliable: OTPs are typically reliable for delivery, especially SMS-based OTPs, because they are transactional and time-sensitive.
  • SMS Deliverability Factors: SMS deliverability is impacted by factors like phone number validity and carrier filtering.
  • Email Authentication: Authenticating emails with SPF, DKIM, and DMARC, is critical to ensure deliverability.
  • Standards Promote Compatibility: Widespread adoption of standards like TOTP ensures compatibility and security, which can indirectly contribute to better engagement.
  • Authentication is Key: Authentication and application lifecycle management improves security.

Key considerations

  • SMS Gateway Reputation: Use a reputable SMS gateway for improved SMS deliverability.
  • Email Sender Best Practices: Adhere to bulk email sender best practices to improve email deliverability.
  • Monitor Spam Complaints: Maintain low spam complaint rates to avoid deliverability issues.
  • Clear Instructions: Provide clear instructions to users when sending OTPs via SMS or email.
Technical article

Documentation from NIST shares that authentication and lifecycle management of an application is an important step in securing it against potential threats.

June 2023 - NIST
Technical article

Documentation from Twilio states that OTPs are generally reliable for delivery, as they are typically transactional and time-sensitive. However, factors like phone number validity and carrier filtering can impact deliverability. Best practices include using a reputable SMS gateway, ensuring proper formatting, and providing clear instructions to users.

September 2024 - Twilio