2FA Chatbots vs. SMS Authentication

In this article, we’ll explain what is a bot for two-factor authentication and how 2FA chatbots (two-factor authentication with messaging service chatbots) work. We’ll look at the pros and cons of this one-time password delivery method and figure out which is best: 2FA bots or SMS authentication.

Table of contents:

How did the Protectimus Bot token come to be?

One of our clients (a payment system with 2,000,000 active users) was spending about $30,000 per month on SMS delivery. They were using SMS to send out one-time passwords and system notifications (withdrawals and deposit notifications, informational messages, etc.). 

This client gave us the task of developing a one-time password delivery method that would be just as convenient for end-users as SMS authentication, but more secure and less expensive. 

The solution we came up with while looking for SMS two-factor authentication alternatives is using 2FA chatbots on messaging services. Additionally, the Protectimus 2FA chatbots can be used to deliver both one-time passwords and notifications of any kind. Now, our client is saving about $20,000 per month that they used to spend on SMS messages.

2FA chatbots in instant messaging apps solve the majority of problems associated with SMS authentication: first, it’s more secure; second, it’s FREE! What’s more, chatbots are virtually just as easy to use as SMS.

How does two-factor authentication with chatbots work?

Currently, the ProtectimusBot chatbot is available on three messaging services:

Practically every smartphone user already has at least one of these free messaging apps installed.

When a user enables two-factor authentication via Messenger, Telegram or Viber they:

  1. Choose one of the messaging services listed and find the ProtectimusBot on it.
  2. Request their unique ID using the /getid command.
  3. Input the ID they receive into the system they wish to protect.
  4. Then, the Protectimus two-factor authentication service will create a token and send it to the user via the 2FA chatbot.
  5. The user confirms that they received the one-time password by inputting it into the appropriate field. This also completes the token issuing process.

After that, all one-time passwords and messages from the service will be sent through the 2FA chatbot. Two-factor authentication using chatbots in messaging apps for Android and iOS is free for both our clients and their end-users.

You’ll find an example of how the Protectimus Bot token is issued in the video below.


Let’s look into the technical side. The chatbot-based software OTP token supports all two-factor authentication algorithms: HOTP, TOTP, and OCRA. Because of this, the ProtectimusBot 2FA chatbots also support CWYS (Confirm What You See) data signing functionality. Data signing involves generating a one-time password based on data from the operation the user is performing; for example, transaction data can be used: the amount, currency, recipient, time, etc. This feature is indispensable for payment systems and banks. It’s impossible to use the one-time password, generated on the basis of such unique data, to sign an illicit transaction, even if an attacker intercepts the OTP. Currently, only four Protectimus tokens support CWYS functionality: the 2FA app Protectimus Smart, as well as Protectimus Mail, Protectimus SMS, and the 2FA chatbots.

| Read also: The Pros and Cons of Different Two-Factor Authentication Types and Methods

2FA chatbots vs. SMS authentication 

2FA chatbots: the pros and cons


  1. Chatbots for two-factor authentication are available at no cost to both clients and their end-users.
  2. The Protectimus Bot 2FA chatbot allows you to deliver both one-time passwords as well as other messages and notifications.
  3. Messages on these messaging services are transmitted in an encrypted form, Telegram is almost the best messaging app when it comes to security. If someone intercepts a one-time password, they won’t be able to decrypt it.
  4. Passwords are used to protect access to the messaging services over which OTPs are delivered. Additionally, access to messaging services can also be protected using two-factor authentication. 
  5. If someone attempts to log in to your account, you will immediately receive a notification. 
  6. Messages aren’t delivered over cellular networks. That means that GSM network vulnerabilities can’t be used to intercept one-time passwords.
  7. We also have yet to hear of any virus that can extract one-time passwords from messaging apps. On the other hand, viruses that extract OTPs from SMS messages are plentiful.
  8. The Protectimus Bot token can also be used outside of areas with cellular network coverage as long as internet access is available.
  9. Users don’t need to install another app or buy two-factor authentication hardware tokens. One of these messaging apps is already installed on 99% of users’ phones.
  10. Chatbots for two-factor authentication can even be used when you don’t have access to your phone — there are web-based versions of Telegram, Viber, and Facebook Messenger.


  1. Internet access is needed to use messaging apps. However, you’re more likely to have problems with cellular network coverage than with internet access. 3G/4G/5G technology is available wherever there is cellular network coverage. If there’s no coverage, you can find a Wi-Fi hotspot or use a wired internet connection.
  2. It’s possible to log in to messaging services from several devices and forget to log out, leaving multiple sessions active at once. For example, while writing this article, I have three active Telegram sessions: one on my smartphone, one on my work computer, and one on my laptop at home.
  3. To issue a token, users need to add the ProtectimusBot chatbot themselves.
2FA chatbots Pros2FA chatbots Cons
The 2FA token is available free of charge.Internet access is required.
Messages are transmitted in an encrypted form.Users must activate the ProtectimusBot chatbot themselves.
Access to messaging services is password-protected, and 2FA can also be enabled.Users must be mindful of the risk of granting several devices access to a messaging service.
Users receive notifications when someone logs into their accounts from new devices.
Cellular network problems do not affect the operation or security of the 2FA chatbots.
Viruses capable of extracting messages from messaging apps are not yet known to exist.
Users do not need to install new apps or order hardware tokens.
2FA chatbots can be accessed not only from smartphones, but also from computers and tablets.
CWYS (Confirm What You See) data signing functionality is supported.
Both one-time passwords and other kinds of messages can be delivered.

| Read also: The Evolution of Two-Step Authentication

SMS authentication: pros and cons


  1. In short, there’s only one essential advantage to using SMS-based two-factor authentication: users don’t need to visit your office, give out their address to receive a hardware token, or install an app in order to start using one-time passwords. As soon as you have a user’s phone number, you can start sending them OTPs. Often, this single advantage is enough for clients to choose SMS-based two-factor authentication. Companies will readily sacrifice security for the sake of convenience.
  2. SMS authentication is also well suited to users of feature phones with a traditional keypad, who simply cannot install apps on their phones. This can also be considered an advantage. 
  3. Besides, just like Protectimus Bot, Protectimus SMS tokens support CWYS (Confirm What You See) data signing functionality.


The rest is solid negatives, it’s too expensive and SMS two-factor authentication hack is possible because of too many weak points:

  1. SMS messages can be intercepted while being delivered over cellular networks.
  2. A one-time password can be intercepted directly on the user’s device by a virus.
  3. Attackers may request a replacement SIM card in order to gain access to a victim’s telephone number.
  4. Employees of an SMS service operator are often involved in such schemes.
  5. If a subscriber is located outside the network’s service area, they won’t receive an OTP.
  6. Companies spend hundreds of thousands of dollars paying for SMS delivery.
SMS authentication ProsSMS authentication Cons
2FA tokens can be issued without any action on the user’s part.Massive expenses.
No smartphone is needed; a feature phone is sufficient.Cellular network vulnerabilities.
CWYS (Confirm What You See) data signing functionality is supported.OTPs can be intercepted by smartphone viruses.

A SIM card swap attack is possible.

Unethical employees of mobile phone service companies may manipulate a SIM card.

SMS delivery problems may occur if there is no cellular network connection or roaming coverage.

| Read also: SMS Authentication: All Pros and Cons Explained

In summary: 3 reasons to stop using SMS authentication and start using 2FA chatbots

Each approach to two-factor authentication has its strengths and weaknesses. However, after comparing SMS authentication to chatbot-based delivery of one-time passwords, we can clearly see that Protectimus Bot tokens win on every count:

  1. Financial efficiency. Using two-factor authentication via messaging services is more profitable from a financial point of view.
  2. Security. Multi-factor authentication using Telegram, Viber, and Facebook Messenger 2FA chatbots is many times more secure.
  3. Convenience. 2FA using messaging apps is no less convenient than SMS authentication and is even more convenient in some situations (for example, when using roaming).

Switch to messaging apps and save money while improving your level of security. If you have any questions, contact us by email at [email protected]


Protectimus Bot

Protectimus SMS

1. Financial efficiency

Free one-time password deliveryYesNo
Free notification deliveryYesNo

2. Security

Messages are transmitted in an encrypted formYesNo
Extra protection with a password or even 2FAYesNo
Risk of OTP interception during delivery over cellular networksNoYes
Risk of token compromise by swapping SIM cardsNoYes
Risk of OTP being intercepted by a virusNo dataYes
Risk of unethical employees of mobile phone service companies manipulating a SIM cardNoYes
CWYS (Confirm What You See) data signing functionality is supportedYesYes

3. Convenience

Internet access required for token to functionYesNo
Cellular network service required for token to functionNoYes
Tokens can be issued without any action on the user’s partNoYes, but the user must supply a phone number
No smartphone is needed; a feature phone is sufficientWeb-based versions of messaging apps can be usedYes

Read more:

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from our team.

You have Successfully Subscribed!

Author: Anna

If you have any questions about two-factor authentication and Protectimus products, ask Anna, and you will get an expert answer. She knows everything about one-time passwords, OTP tokens, 2FA applications, OATH algorithms, how two-factor authentication works, and what it protects against. Anna will explain the difference between TOTP, HOTP, and OCRA, help you choose a token for Azure MFA, and tell you how to set up two-factor authentication for Windows or Active Directory. Over the years with Protectimus, Anna has become an expert in cybersecurity and knows all about the Protectimus 2FA solution, so she will advise on any issue. Please, ask your questions in the comments.

Share This Post On

Submit a Comment

Your email address will not be published. Required fields are marked *

Subscribe To Our Newsletter

Subscribe To Our Newsletter

Join our mailing list to receive the latest news and updates from Protectimus blog.

You have successfully subscribed!

Share This