Insights

How RCS OTPs strengthen authentication and protect users

Image for How RCS OTPs strengthen authentication and protect users

What if there was a way to always be sure that the person you’re talking to is who they say they are? Businesses use one-time passwords (OTPs) to identify users globally. But with fraud in business messaging on the rise, consumers need secure, reliable ways to know they’re communicating with a trusted brand rather than a fraudster. What if users could be sure they were always talking to your brand?

RCS messaging offers a way for customers to always know who they’re talking to while also giving businesses a way to authenticate users. Win-win! With business features like verified sender profiles and interactive branded messages, RCS messages are delivered to a user’s native messaging app. And with Apple now supporting RCS in iOS 18, it’s set to redefine how brands and users identify each other.

Let’s jump into how sending OTPs via RCS can help your business and reassure customers with secure, trusted interactions.

What is an RCS OTP?

RCS OTP messages are a way for brands to send one-time passwords via Rich Communication Services (RCS). Basically, when a user needs to authenticate an account or transaction, they’re sent a unique password via RCS to their registered mobile phone number that can only be used once and expires after a short period of time. This is done to add an extra layer of security as compared to just entering a username and password. 

RCS OTPs are sent via RCS Business Messaging (RBM), which is the business solution. RBM accepts the following as OTP message scenarios

  • Sign-ups
  • Logins
  • Approvals

We’ll dive into specific practices for each of these later, but it’s also important to note what kind of content you’re not allowed to send via an RBM OTP message:

  • Product information and notifications 
  • Offers, promotions, discounts, upgrades, or information related to goods and services 

Instead, RBM offers different message types for brands that want to send promotional or transactional messages, each of which has its own rules for what’s allowed. Learn more about agent use cases for RCS business messaging.

SMS OTPs vs RCS OTPs

Short Message Service (SMS) is the default choice for sending OTPs because it’s universal – everyone with a mobile phone can get SMS, no app is needed, and messages arrive almost instantly. However, SMS OTPs are vulnerable to types of fraud like smishing, where a fraudster impersonates a legitimate business.  

This is where RCS shines. RCS requires brands to be verified by a third party to use a name and logo, meaning that all branded messages come from verified sender profiles by default. Plus, end users’ familiarity with branded messaging will create better trust, making it harder for bad actors to successfully execute phishing attacks.  

Some may point out that SMS still has a clear advantage, as not all devices support RCS yet. However, with Apple now supporting RCS for peer-to-peer (P2P) messaging and starting to roll out RBM in iOS 18.1 in select markets, RCS could become as common as SMS in the future.

Want to learn more? Providers like Sinch can help you send OTPs to phones that support RCS, and SMS to others. This way, your users get your messages, and they get the best experience possible no matter what kind of phone they have. Get in contact with our team to learn more

How does the RCS OTP process work?

Now that you have a basic understanding of why a business might choose to send OTPs via RCS, let’s talk about what it might look like in real life.  

The process is super straightforward. In fact, from a customer’s perspective, nothing changes in the 2FA process they’re used to, except that the message comes from a verified sender. Here’s what the RCS verification process looks like from the customer’s perspective:  

  1. Receive a code: After entering their username and password on your site, users will get an RCS message with a one-time code.   
  2. Enter the code: Users open the message and enter the code on your website, app, or other platform to prove they’re the rightful account owner.   
  3. Access granted: Once they enter the code correctly, their identity is confirmed, and they’ll be granted access to their account. 

This process is known by security specialists as “out-of-band authentication,” and it’s as simple as that. There are no added steps for a customer to verify their identity via an RCS OTP versus an SMS one. The process not only helps brands verify identities, but end users expect this type of authentication as it’s common practice.

RCS OTP example
RCS OTPs are great for banks or financial institutions that want to add security measures that will secure their end-users and mitigate business risk.

Benefits of RCS OTPs

Generally, one-time passwords offer businesses enhanced fraud protection, global reach, and ease of use. They’re also versatile and widespread because almost everyone has a mobile device.

But using RCS for OTPs brings even more advantages. Let’s look at a few unique benefits RCS OTPs can offer your business.

Better security

One-time passwords are a surefire way to add a layer of security to your users’ accounts. When you send OTPs via RCS, it not only adds legitimacy but also reinforces security, as recipients will see your official brand name, color, and a distinctive checkmark in each message.  

Many banks use OTP solutions to satisfy the EU Payment Services Directive 2 (PSD2) for Strong Customer Authentication (SCA). While all OTP solutions present an opportunity for an OTP code to get in the hands of a bad actor, RCS mitigates this somewhat by making it a little harder for an end user to click on malicious links delivered to their messaging clients. 

Branded messages build trust

We’ve mentioned branded sender profiles before, and they’re worth emphasizing because they’re a key benefit of RCS business messaging. These profiles signal that your messages are genuinely from your business, which helps with brand trust.

RCS branded profile example
With RCS, a user can see from your business profile and in every message that the messages come from a verified source.

This visual cue of your branded identity on your business profile is especially important as you’re sending OTPs because it makes it harder for the user to be phished.

Ease of integration

When starting with a new rich messaging channel, you might worry about the hassle of integration, cost, and maintenance. And for some CPaaS providers offering RCS, that might be the case!  

But for a lot of businesses working with Sinch, starting to send OTPs via RCS is super easy. And that’s because many businesses can use similar pricing and the same API they already use for SMS OTPs to send RCS OTPs. This essentially means that SMS OTP messages are “upgraded” to RCS OTPs when the devices are RCS-compatible, while sending SMS OTPs to phones that aren’t RCS-enabled. This makes it a super easy option for businesses that don’t have the time or resources for a new API but still want to benefit from RCS.  

For some brands, this is an easy switch, and it’s how EasyPark Group, the world leader in digital parking, sends RCS messages in Germany. They were using multiple vendors for SMS reminders, which meant spending a lot of time troubleshooting delivery issues in different countries. 

Switching to sending messages with Sinch simplified everything. Now, they send messages as RCS when possible and SMS when the device isn’t RCS-enabled.

SMS OTP vs RCS OTP at EasyPark
Customers with Android devices know messages are coming directly from EasyPark because they’re sent using RCS. 

In Germany, about 40% of their messages are now sent via RCS, giving users visual reassurance that the messages are legitimate. The rest are delivered via SMS. Plus, their delivery rates jumped up to 97.4% with Sinch!

Use cases of OTPs for RCS

You might think that RCS OTPs can be used in all the same situations where you already use SMS OTPs. And you’re probably right! Let’s look at some common cases for sending OTPs via mobile channels and why RCS gives you an advantage.

Online payments

RCS OTPs are great for online payments, especially if you’re a bank needing to verify customer transactions.  

Plus, because RCS messages don’t have the same character limit as SMS, they can include the user’s transaction details and other useful information which might help give them a better experience, and give them confidence that someone else hasn’t taken over their account. 

Account and identity authentication

Whether your company is a bank or a retailer, it’s important to keep all customer interactions secure without slowing people down. If your account login or checkout process is too complicated, customers might look for easier options with your competitors.  

RCS OTPs are perfect for adding security in account and identity authentication processes without extra steps. They deliver quickly, just like SMS, so your customers won’t notice a difference – except they’ll see your trusted, verified logo in every message.

Password resets

You can also use RCS OTPs for password resets. When a user initiates a request, you can send an RCS OTP message to their registered mobile number to confirm their identity. Plus, from their perspective, the branded message arrives quickly, meaning they can complete the process without any hassle.

Access control

RCS OTPs are a great option to help ensure that only the right people can log in and access sensitive data or workflows. This could be helpful for applications where only authorized individuals should be able to access certain information.  

Start using RCS for user authentication

So, there you have it. Now you’ve seen how RCS can help add an additional layer of verification to help you make sure your customers are who they say they are. And at the same time, RCS helps your customers recognize and trust your brand with branded messages. By using RCS OTPs, you’re both protecting your users and strengthening your brand’s reputation. That’s a win-win for security and customer satisfaction! 

If you’re sold on RCS but now want to convince the rest of your organization, download our free guide on how to make a compelling business case for RCS. It has many more details about RCS and includes a ready-to-use business case template for you to use. 

How to make a compelling business case for RCS CTA

Related blogs