Skip to main content
Back to Blog
Security

SMS Two-Factor Authentication: Stronger Sign-In for Every Role

Two-factor authentication is one of the highest-leverage security controls there is — but it only works if people actually use it. Authenticator apps are excellent, yet not every staff member is comfortable installing one, and some roles simply won't. So we added a second option that nearly everyone already knows how to use: a code by text message.

TOTP and SMS, Side by Side

Zeph already supported TOTP — the six-digit codes from apps like Google Authenticator, Authy, or 1Password. Now SMS sits right alongside it. During sign-in, a user enrolled in SMS receives a one-time code at their verified phone number; entering it completes the login. The challenge screen even shows a masked hint of the destination number and offers a resend, so there's no guesswork.

Built to Be Safe, Not Just Convenient

Convenience can't come at the cost of security, so the SMS flow is hardened under the hood:

  • Codes are never stored in the clear — they're salted and hashed, so a database snapshot can't reveal a valid code
  • Short-lived and single-use — each code expires after ten minutes and can't be replayed once used
  • Rate-limited — sending and enrollment are throttled to blunt abuse and brute-force attempts

Administrators Set the Policy

Different offices have different risk postures, so the choice isn't a free-for-all. Administrators decide which methods are allowed through an MFA policy: permit both TOTP and SMS, or restrict to authenticator apps only where policy demands it. Users enroll within the boundaries you set, and they can manage their own enrollment — adding a phone, verifying it, and switching methods — from their account settings.

Lower the Barrier, Raise the Floor

The goal is simple: get more of your team protected by a second factor. By meeting people where they are — with a method they already understand — SMS two-factor raises the security floor for the whole office without forcing anyone up a learning curve. It plugs into the same authentication system, the same audit trail, and the same role-based controls that govern the rest of Zeph.

Talk Through Your MFA Requirements

Whether you need both methods or authenticator-only, we'll help you configure an MFA policy that fits your security posture and your staff.

Talk to Us Try the Demo

Share this post:

LinkedIn X Facebook Email