Preventing Spam & Fraud with SMS Phone Verification

Check out our updated Phone verification post here.

If you’ve used a service like Google Calendar that sends out reminders via SMS, you may recall that when you set up your mobile device to receive alerts, the application verified that you were the owner of the device. This is done by sending you a short verification code that you then entered on the web site. Once this process is complete, the application can safely send you alerts knowing that you are the owner of that number. Other applications have used this technique to help prevent spam and fraud as well.

In a previous post we walked through how to build a simple phone verification system that called a user and prompted them to enter in a code over the phone. Here’s another take on that concept, this time around we’re going to send the code via an SMS text message to their phone and have them type it in their web browser.

Basic Steps

  1. User visits verification web page and enters phone number
  2. A random verification code is generated and sent to the user’s phone number via a text message
  3. The web site prompts the user to enter the verification code
  4. The code is checked against the one stored in the database and the appropriate response is returned.

Step One: Collect user’s phone number

We start by creating an index.php page with two forms, one to collect the phone number, and one to verify the code.

Using jQuery we intercept the submission of the first form and show the second one which was initially hidden. At the same time we also copy the phone number value entered into a hidden form field to use later on.

Step Two: Generate code, store it and send it to the user

When the first form is submitted we make a POST request to sms.php which contains our code for generating the random code, saving the code and phone number to our database and sending the text message to the user. We’re using the Twilio PHP Helper Library again to make it even easier to send the text message.

Steps Three and Four: Collect and validate user-entered code

Now that the user has been sent the text message with the verification code then can enter it in the second form we created above. That form is sent to status.php which checks the database for a match and let’s the user know if the verification succeeded or failed.

That’s it!

SMS text messages are a great way to have your web application reach out and interact with people even when they’re not sitting at their computers. With this simple verification technique you can confidently send messages to your users mobile devices knowing the messages are reaching their intended destination.

Download Complete Example

Twilio SMS Verification on Github

  • Elena

    The Google Calendar link is wrong.
    Cheers.

  • Elena

    The Google Calendar link is wrong.
    Cheers.

  • http://profile.typepad.com/lindsayjeff Jeff Lindsay

    I love the photo at the top.

  • http://profile.typepad.com/lindsayjeff Jeff Lindsay

    I love the photo at the top.

  • Sysmith011

    MOBILE# +639192616111—SMS ONLY

    • Summersmith04

      summer smith
      my cell# +639192616111

  • Sysmith011

    MOBILE# +639192616111—SMS ONLY

    • Summersmith04

      summer smith
      my cell# +639192616111

  • http://www.facebook.com/people/James-Labbe/100000617441351 James Labbe

    njnfsnjfnjdngfrkl

  • http://www.facebook.com/people/James-Labbe/100000617441351 James Labbe

    njnfsnjfnjdngfrkl

  • http://thaiprepaidcard.com/ Bryan

    The Github example has the wrong file named sms.php.  Should be as listed here.

    • marina

      completely right you are! well said, What is nothing but the include file to access the DB he names it sms.php file, which is, of course not.

  • http://thaiprepaidcard.com/ Bryan

    The Github example has the wrong file named sms.php.  Should be as listed here.

  • http://www.facebook.com/people/Cbs-Infosys/100000036910105 Cbs Infosys

    Too many bugs in the code posted. Finally fixed it..

  • http://www.facebook.com/people/Cbs-Infosys/100000036910105 Cbs Infosys

    Too many bugs in the code posted. Finally fixed it..

  • Abhilash Raj R.S

    Its not working

    • http://www.twilio.com Twilio

      If you have issues building, email help@twilio.com and we can help walk you through it. 

  • Abhilash Raj R.S

    Its not working

    • http://www.twilio.com Twilio

      If you have issues building, email help@twilio.com and we can help walk you through it. 

  • Mike

    Hi can you help me with this one. if i clicked the verify button, it says

    Parse error: syntax error, unexpected ‘&’ in C:xampphtdocssamplesmssms.php on line 25

    this is the code i used in sms.php

    “469-518-2319”, // Verified Outgoing Caller ID or Twilio number
    “To” => $number, // The phone number you wish to send a message to
    “Body” => “Verification code: $code”
    );
    // send text message
    $response = $client->request(“/2008-08-01/Accounts/$AccountSid/SMS/Messages”, “POST”, $data);
    ?>

    • http://www.twilio.com Twilio

      Hey Mike,

      We have an updated run through of how to build Phone Verification here: http://bit.ly/1bL4NuB The new code should work for you. Let us know if you have any other questions. We’re happy to help.

      • marina

        this example from 2012 is not by sending SMS but by making a call, It won’t work for deaf people, for people who can’t understand English well, for people who don’t have a pen to take down the code, etc. I don’t see any sense in making verification in a way that chances are that people will fail in the process.

  • umair

    can you provide me AccountSid and AuthToken value as a demo.

    • http://www.twilio.com Twilio

      Hey Umair,
      You can try out your own AccountSid and AuthToken for demos for free in a Twilio trial. http://www.twilio.com/try-twilio‎

      Let us know if you have any questions!

  • Ryan Bigg

    The code here is formatted incorrectly. I guess blog software upgrade.

    • http://twitter.com/philnash philnash

      Thanks for catching that Ryan, I’ve updated now. Warning though, this refers to an old version of the API and the PHP API helper too, the idea is still the same though!