OTP Messages: How to Navigate Delivery Failures

When security meets convenience, the stakes are high. With cyber threats on the rise, one-time passwords (OTPs) play a critical role in preventing unauthorized access, but what happens when they don’t arrive on time — or at all?

The 2024 Verizon Data Breach Investigation Report highlighted that 31% of all breaches over the last decade involved stolen credentials. As a result, organizations and individuals are moving towards protocols such as multi-factor authentication (MFA) leveraging one-time passwords (OTPs). 

However, OTP messages are often email or SMS-based, and both channels are prone to delivery failures. In this article, we’ll analyze the key reasons behind OTP failures and identify the best ways to improve delivery because OTPs are key to brand perception, reliability, and security.

What are OTP messages?

OTP messages are time-sensitive alphanumeric codes sent to customers to verify their identity. OTPs can be used across many instances, such as:

• Identity verification while making a payment
• Persona verification during a login to an app or website
• Identity verification while collecting a parcel or mail delivery
• Geolocation verification while consuming content or utilizing a ticket booking

OTPs can be sent via SMS, email, WhatsApp, or push notifications, and delivery success or failure rates vary by channel.

Source: MoEngage

OTP delivery failures: impact and reasons

Have you ever tried logging into an account only to be left waiting for an OTP that never arrives? Frustrating, right? OTP messages play a crucial role in keeping things secure and seamless. But when they fail to deliver, it’s more than just an inconvenience - it can disrupt business operations, frustrate users, and even lead to security risks.

Impacts of failed OTP deliveries

Before we jump into the reasons for delivery failure, let's take a look at the consequences of OTP delivery failures.

Security lapses

If OTPs are undelivered, brands cannot verify customer identity. This creates a chain reaction, starting with customer experience. Customers will get frustrated and lose trust in your brand's security system. They might try an alternative access management solution, request another OTP, or try to bypass your verification protocols, resulting in serious security breaches. Over time, your customers will stop using MFA or two-factor authentication (2FA) and resort to weak passwords that are gullible to phishing attacks.

Compliance issues

Government regulations in most countries require brands to deploy extensive privacy and security practices. Since OTPs are a core aspect of multi-factor authentication, failure to deliver OTPs might compromise sensitive customer data and put your brand at risk of failing mandatory regulations.

Poor customer experience

Imagine that an important shipment is arriving at the customer's doorstep, but the OTP for them to receive it has failed. Or worse, imagine a customer trying an urgent payment or login session, but the OTP for verifying that has failed.

OTPs are used for critical customer use cases, and failure to deliver these causes immense frustration and breaks the flow of their journey. Over time, customers will abandon the purchase or transaction and churn from your brand.

Now that we've understood the negative impacts of the failure of OTP deliveries, let's analyze the reasons for failure.

Reasons for OTP delivery failure

Source: MoEngage

While most OTP deliveries are channel-dependent, other reasons for delivery failures include:

1. Network issues: Network issues such as poor signal strength on the recipient's phone and network congestion on the carrier's end can result in failed OTP delivery.
2. Carrier restrictions: During times of peak load, SMS and channel carriers might prioritize other messages at random, causing failures in OTP delivery.
3. Server issues: Server issues such as downtime, server overload, maintenance activities at the server's end, and DNS record mismatches can hinder OTP delivery.
4. Sending limits: No matter the channel, a certain limit is set for code deliveries to prevent abuse. When these limits are breached, the delivery of an SMS OTP or email OTP gets disrupted.
5. Sender reputation: If your sender reputation is low due to problematic email or SMS sending practices, your OTP deliveries take a hit.
6. Spam filters: If your email or SMS OTP services trigger spam filters, your messages will land in the spam folder instead of the customer's inbox, and your customers will never read them. 

Regardless of the many reasons for OTP delivery failure, brands can adopt strong practices to ensure better delivery. Let’s dive into a few of them.

How to ensure reliable OTP delivery

While certain channels may be more prone to OTP delivery failures than others, there are a few measures you can take to prevent such incidents.

A channel fallback mechanism

It's never a good idea to put all your eggs in one basket, especially for something as critical as transactional messaging or OTP delivery. If one channel fails to deliver your OTP, your infrastructure should be set up in a way that automatically falls back to the next available channel.

For example, if you're trying to send OTP via email and the email fails due to an unforeseen issue, your system should automatically switch to the next fallback option, such as an SMS OTP. 

Source: MoEngage

Here's how having a multichannel fallback mechanism will help:

Reliable delivery

By setting up your system to have multiple fallback options, you can ensure that your customers receive OTPs irrespective of channel-dependent failures. This reliability is critical for time-sensitive transactional messages and ensures that customers are always happy with their experience.

Low error rates

Channel fallback processes should also be automated, requiring minimal human intervention. That way, failures on one channel don't disrupt any flow, and an existing alternative can be used. This reduces the need for manual intervention, which further reduces the chance of OTP delivery errors.

Cost-efficiency

The cost of sending messages across each channel varies based on geography and usage. For example, email notifications cost less than SMS messages, and push notifications are entirely free of cost. To optimize your budgets, you should split your OTP delivery between channels based on their criticality and time-sensitive nature. For example, you can send delivery OTPs via push notifications, banking OTP via SMS, and transaction confirmation OTPs via email.

Better experience with freedom of choice

Having a multi-channel delivery infrastructure can allow you to provide customers with preferential options. Depending on the situation and urgency, they can choose the channel through which they wish to receive the OTP. This will boost customer experience and allow the customer to choose whichever channel works best for them at the time.

Vendor fallback mechanism

Similar to a multi-channel setup, employing multiple vendors for each channel is also essential. While this might feel cumbersome, it ensures better delivery of OTP notifications. Dependency on a single vendor might be easy, but it is a recipe for disaster.

Source: MoEngage

Here's how a vendor fallback mechanism helps:

Downtime management

Even with the best vendors, downtime is inevitable. If all your critical OTPs depend on that vendor, your system will fail, and your customers will not receive their OTPs.

To prevent this, you should always include multiple vendors in your tech stack. For example, your 2FA providers and infrastructure should be integrated with at least two vendors for email and two for SMS. That way, even if one email vendor faces downtime, you can immediately and automatically use the alternative vendor.

Load distribution

The volume of OTP requests might fluctuate across time and systems. If you distribute your request load across different vendors, you can optimize the delivery without overloading a single one. This way, even if one vendor poses certain limits in terms of load and peak, you will have alternative vendors to fall back on.

Limit management

Even if the vendor is able to handle peak loads, servers sometimes create limits to control the system. If your infrastructure has multiple vendors available, you won't be dependent on server-side limitations and might never even breach these limits.

How to monitor reliable OTP delivery

Like with any other customer-facing system, monitoring and analytics should be a core aspect of your systems and processes. The same applies to OTP deliveries as well. You should implement analytical mechanisms to receive delivery status updates and notifications.

Source: MoEngage

Here are the most important metrics you can track to ensure reliable OTP delivery:

1. Send time: This metric tells you how long it's taken between the customer requesting an OTP and them receiving it. This way, you can see if your send time is too long, in which case your sending system needs optimization.
2. Delivery rate: This is the ratio of the number of OTPs delivered to the total number of OTPs requested.
3. Verification rate: This ratio tracks the number of successful OTP or SMS text verifications to the number of OTPs requested. If this ratio is low, it might mean that your security system has a breach.
4. Failure rate: This ratio tracks the number of failed OTP requests against the total number of OTP requests.

Best practices for ensuring OTP delivery

While some OTP failures are unavoidable, businesses can minimize disruptions with the right strategies. Let’s explore the best practices for ensuring OTP delivery.

Instantaneous send time

OTPs should ideally arrive within 1-2 seconds of a customer requesting them. This means that the entire process of verifying the customer's credentials, generating a unique alphanumeric code, and getting the message delivered to the customer should happen within this time.

Your infrastructure, whether inbuilt or outsourced, should be able to handle instantaneous OTP delivery during both peak and load times.

Regular testing and optimization of delivery systems

"Test, test, and test again," said Adi Dassler, the founder of Adidas. This practice extends to any product or engineering effort, including critical OTP delivery.

If you're working with an inbuilt solution, as a standard practice, keep testing your systems and infrastructure. Perform regular unit testing, integration testing, functional testing, and acceptance testing. Also, make sure to perform white-box and black-box testing at periodic and random intervals.

This will help you optimize your infrastructure and ensure reliable delivery. If you're working with an outsourced solution, the solution's software team will take care of this.

Proactive system maintenance via patches, updates, and security measures

Each vendor or channel that you work with will go live with updates regularly. To keep up with this pace of releases, your team will have to push system maintenance via regular patches and updates as well. Your infrastructure will otherwise be buggy, and your integrations will become unreliable, leading to failed deliveries.

Similar to the above step, this only applies if you're working with an in-house solution. With outsourced or third-party platforms, this isn't a concern, as the platform will make sure to take care of this.

Audit logs and failure reports

Your OTP delivery infrastructure should also collect and store audit logs and failure reports as a mandatory process. This helps in two ways:

1. Compliance: Most government regulations require brands to store audit logs and failure reports.
2. Troubleshooting: You can analyze audit logs and failure reports to figure out what went wrong with a particular set of OTP alerts.

Source: MoEngage

Message formatting

When it comes to content, readability is of the utmost importance. The OTP code has to take center stage and be digestible immediately. 

Here are some best practices you can follow for the content:

• The focus and limelight should be on the OTP code. Whether it is an SMS, email, WhatsApp, or push notification, emphasize the code.
• Include information about the reason for the OTP. For example, if it is for a financial transaction, display the transaction amount and mention if it's a credit or debit transaction. You can also mention the buyer or seller with whom the customer is making the transaction. For other cases, display the reason for the OTP and its source. This will help if a hacker is trying to scam your customers.
• While including information, ensure that the content is clear enough not to make it easy to confuse the information with the OTP code itself.
• If the OTP is long, improve readability by breaking it into multiple visual blocks for easy understanding.
• If your OTP is time-sensitive, mention this and the duration for which it is valid clearly in the message.
• Add a link or helpline number that allows customers to quickly contact support in case of OTPs generated for wrong or fraudulent transactions.
• The content should be clean and easy to understand so that smartphones can easily detect and fetch OTP data from the default messaging app.

While SMS OTPs don't require design, your email, WhatsApp, and push notification OTPs would draw heavy reliance on design. Much like content, you can follow a few basic rules for the design to improve convenience and delivery.

• The design should focus on the OTP code.
• Do not overpower the code with too many graphics or colors.

• Make sure to reflect your brand's visual tone and language in the message.

Source: MoEngage

OTP security and customer privacy

While the OTP is an added layer of security for important actions and sometimes high-stakes transactions, there are chances for OTP leakage.

This happens when the OTP message falls into the wrong hands and compromises system and customer security. This can happen in multiple ways, such as SIM swapping, phishing attempts, or social engineering. In some cases, hackers can even send false "OTP failure" messages to customers while they intercept the real OTP on their end.

If you're working with an in-house solution, you should dedicate specific resources to ensuring the privacy and security of your delivery infrastructure. 

On the other hand, if you're working with an outsourced solution, make sure to validate the security and privacy practices of the third-party solution. Find out how many local and international compliances and security certifications they have incorporated, and understand the implications of lapses (if any).

Here are some more ways to ensure privacy and security for your OTP infrastructure:

• Complex tokens: Make your tokens more complex by combining numbers, alphabets, and special characters so that they are difficult to crack by guessing or brute force.
• Expiration time: Have a shorter expiration time to give no space for social engineering attacks.
• Input attempts: To reduce the risk of guesswork, limit the number of times that the OTP can be entered.
• Request limit: Limit the number of OTP requests that can be made from one source within a short frame of time.
• Encrypted delivery: No matter which delivery channel is chosen, ensure that the transmission of the OTP is encrypted and secure.
• Back-end verification: Ensure that your SMS authentication server, which verifies the code and maps it to customer identity, is as secure as your other systems.

OTP reliability in a security-first world

It is easy to overlook the benefits of MFA or OTPs and take them for granted because they are so common. However, the reality is that OTPs are the most critical notifications and immediately impact customer experience, brand image, customer retention, and government compliance. 

The consequences of a failed delivery are multi-fold. By focusing on the different aspects mentioned in this article, like delivery system security, fallback mechanisms, failure reports, instantaneous send time, and content formatting, you can ensure successful OTP deliveries and a good customer experience. 

Are you struggling with SMS reliability? The right platform makes all the difference. Check out the tried-and-tested best SMS marketing software.