Is there any alternative beside sending One-Time-Password via SMS?

Why can't you use TOTP or HOTP which is standard and supported by most authenticator apps?

When people register for your service they need to enroll their authenticator app by scanning a QR code which contains the secret seed used to generate codes.

On subsequent visits the site prompts them to enter codes generated by the app, without any network access since codes are generated locally on the device.

As a bonus, since you're using standard protocols your users may already have a compatible authenticator app installed, and if not, could nudge them into using the app for more services (their Google account, etc). In the end, users are more secure and everyone wins.


Since the question is about ideas:

Automated voice call with PIN code verification before spelling out the OTP.

  • Very easy for inexperienced users - doesn't require additional software, instructions given in real-time, for example:

    Hello this is mirsad's verification system. Please enter your PIN to hear the password for your download

    Thank you, your password is ....., please use it within five minutes. Remember, do not give this password to anyone else!

  • Requires users to remember PIN code

  • Safer than SMS - prevents passive password retrieval (an attacker cannot read from the screen of an unattended device)

  • Requires measures to prevent snooping, for example:

    • listening side produces random audible tones during PIN input and retrieves user-provided code by calculating the difference (my bank does it)

    • ask user to type a different set of random digits from a longer PIN, i.e. "press the 6th digit of your PIN, press the 3rd digit of your PIN" (my other bank does it)


Vulnerabilities in A5/0 and A5/1 are unlikely to be a major issue for your authentication of a small system with a few hundred clients.

However, if you want to avoid using GSM as a delivery channel, you could have a time-based OTP (TOTP) using Google Authenticator. You would need to create a secret for each user on your server, which he/she can scan with the Google authenticator app. A sample of how this works is here