Nexmo Inc.

Verify API for 2FA using a Mobile Phone

Nexmo Verify API allows you to implement two factor authentication (2FA) using short lived verification codes sent to a Mobile or Landline over SMS or an automated Voice phone call.


  • Cloud-based (REST) Verify API
  • 2FA - Two Factor Authentication
  • Phone number type detection
  • Automatic retries and failover to voice ensuring verification code delivery
  • Global country and carrier compliance to prevent message filtering
  • Templates and languages matching local preferences
  • Analytics dashboard
  • Optimized PIN Code length and expiry timing
  • Ony pay for successful verification


  • Maximize verification success rates
  • Speed up code delivery and improve user experience
  • Go live instantly with simple API integration
  • Track your performance in real time
  • Block spammers and fraudsters


£0.087 per transaction

Service documents

G-Cloud 9


Nexmo Inc.

Mark Summerson

+44 (0) 7802 466766

Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to Nexmo Verify API is available as an extension to many third party platforms and services, examples include:

Amazon Web Services (AWS), Amazon Simple Notification Server (SNS), Zoho, Salesforce, Zendesk, Telerivet, MailChimp, Campaign Monitor, JIRA, Sugar CRM, Freshdesk, Google Cloud,, Magento, Microsoft Dynamics CRM, Miva Merchant, Heroku, Microsoft Azure, Confluence.
Cloud deployment model Public cloud
Service constraints None. Service affecting incidents would be alerted to users via
System requirements HTTP REST API or web client support

User support

User support
Email or online ticketing support Email or online ticketing
Support response times Standard Support Offering: During Monday to Friday High or Urgent priority tickets receive a response within 2 hours and Normal or Low priority tickets receive a response within 6 hours. During the weekend High or Urgent priority tickets receive a response within 4 hours whilst Normal or Low priority tickets will receive a response on Monday.

Our Premium Support customers receive a response within 30 minutes for High or Urgent priority tickets and 1 hour for Normal or Low priority tickets, this response time is the same 24 hours a day and 7 days per week.
User can manage status and priority of support tickets Yes
Online ticketing support accessibility None or don’t know
Phone support Yes
Phone support availability 9 to 5 (UK time), Monday to Friday
Web chat support Yes, at an extra cost
Web chat support availability 24 hours, 7 days a week
Web chat support accessibility standard None or don’t know
How the web chat support is accessible Via Nexmo website
Web chat accessibility testing None
Onsite support No
Support levels We offer two levels or support; Standard Support - which is included at no additional cost beyond the price you pay for utilisation of our services, this level of support does not include phone support. Premium Support - Which includes faster response times, is 24/7 includes phone support and chat as well as a dedicated support engineer. Premium Support costs an additional £5,000 per month.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started Nexmo provide an online service including all documentation and tutorials.

New users can sign-up for services for free and start testing at
Service documentation Yes
Documentation formats HTML
End-of-contract data extraction As a CPaaS provider Nexmo's doesn't store application data, Nexmo's communication services are integrated with client hosted data. Customer account provided details are accessible from the Nexmo dashboard and can be accessed at any time.
End-of-contract process When the contract ends if you continue to use our services you will transition onto our standard list pricing and standard terms, assuming you continue to use our services. You will likely agree a new contract prior to the end of your existing contract. If you move to another supplier and wish to port your numbers then there may well be a small admin fee for such a migration. We cannot advise what this will be in advance as many of the costs incurred are only know at the time of porting and may depend on the number supplier as well.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10+
  • Firefox
  • Chrome
  • Safari 9+
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service We send verification codes via an SMS or a Voice phone call to a Mobile phone or landline. These codes are commonly used with desktop apps.
Accessibility standards None or don’t know
Description of accessibility None
Accessibility testing None
What users can and can't do using the API Nexmo's Verify API is only available through an API.

Users can manage the complete service from provisioning, account management, through to elivery and reporting all via real-time API's.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available No


Independence of resources We always have spare capacity in each of our locations and the ability to temporarily shift traffic to other locations to guarantee we don't overload one (or more) of them.


Service usage metrics Yes
Metrics types Inbound & Outbound message delivery
Delivery Status (Submitted, Delivered, Rejected, Expired)
Per Day/Week/Month/Year
Search by message/recipient, rejected messages
Quality (Success Ratio %, DLR Ratio %), by Country, by Network
2FA Conversion data (% Conversion, by Country, by Network)
Number Verification Success
Reporting types
  • API access
  • Real-time dashboards
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Staff screening not performed
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations EU-US Privacy Shield agreement locations
User control over data storage and processing locations No
Datacentre security standards Managed by a third party
Penetration testing frequency At least every 6 months
Penetration testing approach In-house
Protecting data at rest Scale, obfuscating techniques, or data storage sharding
Data sanitisation process No
Equipment disposal approach A third-party destruction service

Data importing and exporting

Data importing and exporting
Data export approach Nexmo as a CPaaS provider of communications services does not store client data.
Users can extract usage reports via the Nexmo Dashboard at Reporting Analytics data can be viewed within the browser and also downloaded in Excel (.xlsx) format.
Data export formats Other
Other data export formats
  • Microsoft Excel Open XML format (.xlsx)
Data import formats Other
Other data import formats HTTP REST API

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks TLS (version 1.2 or above)
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability Nexmo commits to using commercially reasonable efforts to ensure that the proprietary platform provided by Nexmo in connection with its Services will be Available 99.97% of the Available Time within a given calendar month.

Should the Nexmo Platform be unavailable for less than 99.97% of one Calendar Month then the refund, in the form of service credits, is as follows:

Availability between 99,95% and 99.97% would result in a refund of 5% of Monthly spend.

Availability below 99,95% would result in a refund of 10% of Monthly spend.
Approach to resilience Nexmo's platform resides in IBM's Softlayer Cloud and has failover, DR and load-balancing attributes configured over the resilient infrastructures across our global datacentres. Nexmo fails-over to a secondary environment within each datacentre but also across region, providing true global redundancy.
Outage reporting Public dashboard

Subscription to alerts via email, SMS, Twitter, API (Webhook), RSS feed

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password
Access restrictions in management interfaces and support channels Management is done via SSH and authentication is performed by LDAP.
Access restriction testing frequency Never
Management access authentication
  • 2-factor authentication
  • Public key authentication (including by TLS client certificate)
  • Username or password

Audit information for users

Audit information for users
Access to user activity audit information Users contact the support team to get audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information Users contact the support team to get audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification Yes
Who accredited the PCI DSS certification Securitymetrics
PCI DSS accreditation date 08/05/2016
What the PCI DSS doesn’t cover Nexmo is PCI Merchant compliant. Customer's are responsible for PCI compliance of applications built using Nexmo's API's
Other security accreditations No

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance accreditation No
Security governance approach Nexmo ensures that we design our infrastructure and software with security in mind. We select datacenter providers with security compliance certification, and continuously review our system for vulnerabilities in-house and through 3rd parties.
Information security policies and processes Nexmo takes data security very seriously. Nexmo’s servers are hosted by IBM Softlayer and AWS in data centres in Europe, the United States and SE Asia. Softlayer provides us with hardware, network connectivity and secure physical space relating to our customer data. Softlayer is compliant with ISO 27001, SOC 2 and other standards (see, and security information about their data centers can be found at
Marked as done

Operational security

Operational security
Configuration and change management standard Supplier-defined controls
Configuration and change management approach Everything is done via central configuration management. (Puppet) Each change reviewed and approved.
Vulnerability management type Supplier-defined controls
Vulnerability management approach Nexmo has a Vulnerability Management Process in place that covers patch management, vulnerability scanning and monitoring, security assessments/penetration testing and the bug bounty programme.
The goal of the security assessments vulnerability management process is to ensure reported vulnerabilities are addressed according to industry best practices and expectations: updates made to the applications or systems provide adequate protection and that vulnerabilities are fixed within reasonable time.
Vulnerabilities are validated, assessed and classified according to risk and impact. Depending on severity response times can be Immediate (with a target Short Term Solution in 2 days) or longer.
Protective monitoring type Supplier-defined controls
Protective monitoring approach Security monitoring capabilities ensure both the physical and IT security of the Nexmo environment. Physical security is monitored by manned personnel in 2 reception area’s, whilst our data centre providers provide their own access controls under the governance of the many standards under which they operate ( Nexmo’s team monitors for attacks, with frequent scheduled checks. Services have attack detection logic implemented to detect malicious actions and fraudulent behaviour. Automatic account breach monitoring and alerting is in place that look at public services for data breaches. Alerts are sent to the security team - see incident management for response process.
Incident management type Supplier-defined controls
Incident management approach Security incidents are managed through an incident report form within the ticketing system (JIRA), this records details of the incident and tracks the onward investigation until remediation actions can be put in place. Upon issue resolution, if necessary, the security team defines any further/longer-term remediation requirements, and assigns these to the appropriate team (e.g. operations, product engineering, etc). At each stage there are defined communications covering Identification, Investigation, Remediation, and Documentation (Reporting) of security incidents. Where customers are impacted; the “critical situations” team is notified (includes senior management), and Support communicates to affected customers, providing advisory, or specific remediation instructions.

Secure development

Secure development
Approach to secure software development best practice Supplier-defined process

Public sector networks

Public sector networks
Connection to public sector networks No


Price £0.087 per transaction
Discount for educational organisations No
Free trial available Yes
Description of free trial Nexmo offer free account sign-up, upon completion of which the account with receive €2 free credit for the purposes of trialling our CPaaS solution.
Link to free trial


Pricing document View uploaded document
Service definition document View uploaded document
Terms and conditions document View uploaded document
Return to top ↑