Verification Best Practices

Verification is an essential first step in your online relationship with a user. By verifying that a new registree on your website has the device, they claim in his or her possession (and the provided phone number or email is accurate) you reduce spam and fraud while signaling your concern for the user's security.

We've come up with some best practices and practical guidelines that can assist you while implementing user verification. These best practices are also built into our Verify quickstart - we suggest running through it to see some implementation details.

Plan a User Registration Flow

User verification is an important first step when signing up a user, but should be considered holistically in your application's registration and usage flow. Checking that a phone number or email is legitimate, associated with a device, and in possession of a new registrant will cut down on spam sign-ups before you even grant a new user an account.

Registration

Use Verify to determine if the user has control of the device or identity (phone number/email) they claim currently in possession.

If the user is using your mobile application, register the device as a factor to be used for Verify Push.

Ongoing Verification

For SMS, voice, or email authentication - use the Verify API to send a one-time password (OTP) to the pre-registered device.

For push authentication - use the Verify API to issue a new Challenge to the registered Factor.

For TOTP or Authy app push - use the Authy API to initiate an authentication.