Authentication Methods

Interactive Voice Response (IVR)

Phone-based authentication method for one time passwords and challenge-response.


IVR Challenge/Response

Cost-effective but non-compliant authentication

Mobile phones can be used for authentication via One Time Password (OTP) or Challenge-Response (CR or Y/N) delivered via Interactive Voice Response (IVR). This is a less-secure form of strong authentication because it is vulnerable to man-in-the-middle (MITM) attacks.

  • IVR OTP places a voice call to the user, who listens to the OTP. Then the user enters the OTP into their login authentication and is approved.
  • IVR Challenge-Response places a voice call to the user, who listens to a question asking if the authorization attempt is approved. If the user replies “Yes”, authentication is completed and the user is logged in. If the user replies “No”, authentication is failed and the user is not logged in.

For organizations with visually-impaired users, IVR Challenge/Response enables compliance with the Americans with Disabilities Act (ADA). However, IVR authentication is not compliant with NIST-based regulatory regimes due to its security vulnerability.



  • Very low cost to implement and maintain
  • Great for visually-impaired users
  • Easy to self-provision or automatically provision
  • Easy to recover accounts and reprovision
  • Leverages BYOD (mobile phones)
  • Open standards-based (OATH)
  • Can’t work offline – requires a cellular connection
  • Can’t work if user forgets their mobile device
  • Not compliant – due to vulnerability to man-in-the-middle (MITM) attacks
  • Not viable for Secure Areas or other use cases where mobile phones are prohibited

Ready to experience the SurePassID difference?

Contact us and bring our MFA expertise to bear on your unique requirements. Or begin our free trial and see how easy it is to secure your universe with SurePassID Universal MFA.

Contact Us
Start Your Free Trial