Verification Best Practices
Verification is an essential first step in your online relationship with a user. By verifying that a new registree on your website has the device, they claim in his or her possession (and the provided phone number or email is accurate) you reduce spam and fraud while signaling your concern for the user's security.
We've come up with some best practices and practical guidelines that can assist you while implementing user verification. These best practices are also built into our Verify quickstart - we suggest running through it to see some implementation details.
Plan a User Registration Flow
User verification is an important first step when signing up a user, but should be considered holistically in your application's registration and usage flow. Checking that a phone number or email is legitimate, associated with a device, and in possession of a new registrant will cut down on spam sign-ups before you even grant a new user an account.
Registration
Use Verify to determine if the user has control of the device or identity (phone number/email) they claim currently in possession.
If the user is using your mobile application, register the device as a factor to be used for Verify Push.
Ongoing Verification
For SMS, voice, or email authentication - use the Verify API to send a one-time password (OTP) to the pre-registered device.
For push authentication - use the Verify API to issue a new Challenge to the registered Factor.
For TOTP or Authy app push - use the Authy API to initiate an authentication.
Need some help?
We all do sometimes; code is hard. Get help now from our support team, or lean on the wisdom of the crowd browsing the Twilio tag on Stack Overflow.