Are one time passwords better than one time links for deliverability?
Summary
What email marketers say9Marketer opinions
Email marketer from Mailjet shares that delivering one-time passwords (OTPs) via SMS can be highly effective due to the immediacy and high open rates of text messages. However, it's essential to comply with SMS regulations, obtain user consent, and optimize message content for mobile devices to ensure successful delivery and a positive user experience.
Email marketer from StackOverflow user user12345 points out that OTPs delivered via SMS or email are susceptible to man-in-the-middle attacks. While HTTPS helps protect against eavesdropping, it doesn't prevent phishing or SIM swapping. Stronger authentication methods, such as hardware tokens or biometrics, may be necessary for high-security applications.
Email marketer from Reddit user u/sms_expert mentions that SMS deliverability is affected by factors like carrier filtering, content compliance, and phone number reputation. Using a dedicated short code and monitoring deliverability metrics can help optimize SMS campaigns and ensure reliable OTP delivery.
Email marketer from Okta notes that implementing multi-factor authentication (MFA) with OTPs can significantly improve security. However, it's important to choose the right delivery method based on user needs and risk tolerance. Factors to consider include cost, convenience, and security vulnerabilities.
Email marketer from Auth0 discusses the pros and cons of different OTP delivery methods, including SMS, email, and authenticator apps. While SMS and email are convenient, they are also vulnerable to phishing and interception. Authenticator apps offer stronger security but may require more effort from users.
Email marketer from Sendinblue explains that email deliverability is influenced by factors such as sender reputation, authentication protocols (SPF, DKIM, DMARC), email list hygiene, and engagement rates. Providing value to subscribers and avoiding spam triggers are crucial for maintaining good deliverability.
Email marketer from Proofpoint states that one-time passwords are still a threat. They should be monitored for as a potential sign of cyber security attacks.
Email marketer from TechTarget explains the risks associated with SMS-based OTPs, including SIM swapping and interception. While SMS is convenient, it's not the most secure option for MFA. Organizations should consider alternative authentication methods, such as authenticator apps or hardware tokens, for sensitive transactions.
Email marketer from Neil Patel emphasizes the importance of sender reputation for email deliverability. This includes maintaining a clean email list, avoiding spam traps, and authenticating your email with SPF, DKIM, and DMARC. High engagement rates (opens and clicks) also contribute positively to sender reputation.
What the experts say6Expert opinions
Expert from Word to the Wise explains that tracking clicks and open rates does not always accurately represent deliverability or receipt.
Expert from Email Geeks explains that mailbox providers that track whether or not an email is opened do not use images to track the open and in terms of deliverability, there is zero difference between one time passwords and one time links (most places aren’t tracking clicks, either). Senders track open and clicks because that’s all they have access to.
Expert from Email Geeks shares that they remember someone from google once said they don’t track clicks and Expert Brett Schenker remembers someone saying that about clicks too. It was a panel with someone from Google, Microsoft and Aol/Yahoo from what they remember and the follow up was something like "measuring clicks was too invasive". We all laughed at the comment after the initial shock of that news.
Expert from Email Geeks shares that Google has a patent on tracking mouse movements in the browser and assumes if using a mail client owned and managed by the same company that owns the domain that they have the tracking they need to collect the data they want. Also explains that if using something like mail.app or outlook it’s a little different and the only real signal the mailbox provider has is the IMAP flag going from read to unread.
Expert from Email Geeks answers that the webmail provider knows it opened without triggering the images through the analytics in their website, both built in from the server and layered on top of it. Activity that de-bolds the email in the list of emails likely counts something as opened by the MBP.
Expert from Word to the Wise shares it is generally a bad idea to use URL shorteners in your email marketing. Many URL shorteners are used by spammers, and security systems are tuned to flag these shortened links as potentially malicious.
What the documentation says4Technical articles
Documentation from NIST shares that authentication and lifecycle management of an application is an important step in securing it against potential threats.
Documentation from Twilio states that OTPs are generally reliable for delivery, as they are typically transactional and time-sensitive. However, factors like phone number validity and carrier filtering can impact deliverability. Best practices include using a reputable SMS gateway, ensuring proper formatting, and providing clear instructions to users.
Documentation from Google outlines best practices for bulk email senders, including authenticating email with SPF, DKIM, and DMARC; maintaining low spam complaint rates; and providing easy unsubscribe options. Following these guidelines can help ensure that your emails reach Gmail users' inboxes.
Documentation from RFC 6238 specifies the Time-based One-time Password (TOTP) algorithm, which uses a shared secret key and the current time to generate a unique password. This standard does not directly address deliverability, but its widespread adoption ensures compatibility and security, indirectly contributing to user trust and potentially better engagement.