SMS registration like in the mobile app: whatsapp

eav picture eav · Sep 13, 2012 · Viewed 36.7k times · Source

I'm wondering how these sms-registration mechanisms work. I searched on the internet, but the problem is there are so much sms-providers which want to sell online-sms services, so i can't find anything...

Question: How does this work: Set your mobile number, and sent you an SMS with an otp. Put this password into the app.

What's behind? Do they have a sms-gateway or something like this? How much it costs?

Thanks

Answer

Tim Lytle picture Tim Lytle · Sep 13, 2012

Here's a simple phone number verification service built on top of Nexmo (disclaimer, I do a little developer evangelism for Nexmo). I think it's basically what you're looking for, the goal is to verify that a number actually belongs to a user (could also be used for 2nd factor authentication).

The basic integration for a mobile app (specifically for this example code, but a common flow):

  • Send the phone number to be verified, receive a unique hash.
  • The verification system sends a unique code to the user.
  • Once the user passes that code to your application, the original hash and the code are sent to the verification system to be validated.

You can drop out the hosted portion, and just take those steps inside your application (generate a code, send via a SMS API, check the code the user enters). However, there are a few things to consider at that point:

  • The credentials of the SMS API are compiled down into your distributed application. Is that something you want to risk?
  • The code is send via the network from the device; while SSL will stop casual observation of the code, someone who wanted to fake a registration could more than likely capture the code from the HTTP request.

Both of those issues are solved by putting the verification system outside the mobile application.