Best practices for implementing Silent Network Authentication in production

Time to read: 4 minutes

October 11, 2022
Written by
Kelley Robinson
Twilion

Best practices for implementing Silent Network Authentication in production

Silent Network Authentication (SNA) allows your business to seamlessly and securely verify users behind the scenes without any user input. This is an excellent solution for reducing friction while maintaining a strong level of security in your verification or authentication flows. Learn more about how SNA works behind the scenes here.

This blog post will dive into how to handle implementation details, manage edge cases, and scale the solution globally.

Prerequisites for building with SNA

Before you can start scaling, you need to do the following:

  1. Complete the carrier registration form to start the 2-4 week approval process.
  2. Create a Verification Service in the Twilio Console
  3. Start a new verification with SNA

After you complete those three steps, the rest of this document will help you manage situations outside the common happy path.

Twilio's SDKs for iOS and Android will help manage several of the edge cases described in this document.

Force mobile data for SNA inside your mobile app

Because SNA relies on cellular network authentication, invoking the sna.url must be done on mobile data, not WiFi. The API will throw Error 60531 if you try to request the sna.url on WiFi. You can force this in your mobile app.

For iOS, use the iOS library* to force mobile data for the request. The library also provides custom errors, network validations, and multi-threading support. If necessary, you can also reference this Objective C function code on GitHub (here's an example of calling that code from Swift).

For Android use the Android library* or reference the following sample code using requestNetwork to force mobile data for the request:

// or use the SDK: https://github.com/twilio/twilio-verify-sna-android

@TargetApi(Build.VERSION_CODES.LOLLIPOP)
public static void doAPIonCellularNetwork(Context context, final String url) {
       
       ConnectivityManager connectivityManager = (ConnectivityManager) context.getSystemService(CONNECTIVITY_SERVICE);
       
       NetworkRequest request = new NetworkRequest.Builder()
               .addTransportType(NetworkCapabilities.TRANSPORT_CELLULAR)
               .addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET).build();

       connectivityManager.requestNetwork(request, new ConnectivityManager.NetworkCallback() {

           @Override
           public void onAvailable(final Network network) {
         OkHttpClient okHttpClient = new OkHttpClient.Builder().socketFactory(network.getSocketFactory()).build();
         Request request = new Request.Builder()
               .url(url)
               .build();
         try {
            Response response = okHttpClient.newCall(request).execute();
            Log.i("", "doAPIonCellularNetwork RESULT:\n" + response.body().string());
         } catch (Exception ex) {            
                ex.printStackTrace();
         }
           }
       });
   }

*reach out to request access, open source access expected in 2023.

Follow redirects

When you invoke the sna.url, the documentation tells you to follow all redirects. The reason for this is that each carrier has slightly different redirect handling, so we built our API to obfuscate the differences so you experience consistent behavior with one interface.

You can find the redirect URL in the location header of the sna.url invocation response.

In pseudo code this would look like:

while response status == 3xx:
    get redirect URL from location header
    then
    visit redirect URL

POST /VerificationCheck

Note that some carriers can have multiple redirects. You can trigger the Verification Check after the redirects are complete.

Use edge locations in certain regions

Regulators in EMEA require that all data remain within the region. Therefore, Twilio has separate API URLs for edge locations. As we expand to new regions, this list of data resident regions may grow.

Learn more about Twilio Regions in the documentation or contact us for regional implementation in India and Indonesia.

Handle dual SIM

Phones in certain countries like Brazil, India, and the Philippines often have multiple SIM card slots. There are two typical reasons why users take advantage of this. The solution for both scenarios is the same.

Scenario 1: Users rotate secondary data SIM

Users choose one mobile operator SIM for their voice calls. This phone number is associated with the user’s identity and is the number they give to friends and family. This SIM is in slot #1.

For slot #2, the user chooses the data plan with the lowest price. The user may change this data SIM often when there are new promotions. The user never knows the phone number associated with the phone number in slot #2.

The issue in this scenario is that Silent Network Auth uses the data network to authenticate the active phone number (possibly from slot #2), while the user has provided the phone number associated with their identity, which may be the phone number from the SIM in slot #1.

Scenario 2: Users rotate primary phone number SIM

Similarly to Option 1, some mobile operators offer promotions where calls to phone numbers on their network are free, so the user may maintain voice SIMs from multiple MNOs and give out the corresponding phone number to friends and family on the same network. The user knows all of the phone numbers associated with their SIMs.

The issue in this scenario is that the user could sign up with any one of their phone numbers and it is possible that it is not the one associated with the active data network.

Solution: for both scenarios, our solution is to get the service provider from the user-provided phone number and compare that against the service provider from the IP address of the data SIM. If the service providers do not match, then we confirm a dual SIM and send one of the following errors back to your application:

Deal with out of coverage and fallback to other channels

While some scenarios have fallback options to make SNA work, all have the option of falling back to other channels offered by the Verify API like WhatsApp or SMS.

These are the most likely situations where SNA may not work.

1. The user is on a desktop device

Because desktops do not use mobile data, either fallback to another channel or follow the instructions here to direct a user to a mobile device from the desktop via a QR code or by sending the user a link in an SMS.

2. The user is on Wi-Fi in a mobile browser

Ask the user to turn off Wi-Fi or fallback to another channel. You will likely see Error 60531 in this case.

3. The user's cellular network is not covered by SNA

Fallback to another channel.

SNA FAQ

For more answers about things like error handling, geographic coverage, latency and more, visit the SNA FAQ in the documentation.

Other considerations for SNA

Silent Network Auth is a great frictionless authentication solution for your application. We also recommend adding fallback options to other channels

For further reading we recommend:

If your question wasn't answered by this document, please get in touch. We can't wait to see what you build!

Related Posts

Related Resources

A newspaper article

Twilio Docs

From APIs to SDKs to sample apps

API reference documentation, SDKs, helper libraries, quickstarts, and tutorials for your language and platform.
An Open book

Resource Center

The latest ebooks, industry reports, and webinars

Learn from customer engagement experts to improve your own communication.
User group reactions

Ahoy

Twilio's developer community hub

Best practices, code samples, and inspiration to build communications and digital engagement experiences.