Phone Verification: Because Email Verification is No Longer Enough

Phone verification is the most secure and simple way to verify a user's identity and protect your app or service from data loss, fraud, and malicious attacks.

Download ebook

Phone Verification: Because Email Verification is No Longer Enough

In May of 2017, the United States Federal Communications Commision (FCC) asked for public comments on the controversial net neutrality rules. By late August, when the window for commenting closed, they received a record-breaking 21 million records! After further analysis, however, more than a third of submissions came from fake email domains, nearly 10 million were duplicates, and only 1.5 million were truly unique.

Clearly, people were spamming the system, using fake emails and addresses to fill up the system with useless data. The irony? The FCC is the government agency that regulates the phone networks. They could’ve asked for and verified the ownership of phone numbers which would have led to dramatically reduced levels of fraudulent records.

Google, Facebook, and Twitter have suffered similar problems, and have found that phone number verification has been effective at reducing unwanted accounts. When signing up for these social media platforms, users are asked for a phone number. It’s not because the social networks want to call you, it’s simply because phone verification provides better protection from spammers than email verification does. Again, the solution is simple: send a code to the user’s phone and ask for it at signup, thereby verifying ownership of the number.

As the FCC example demonstrates, not validating who is interacting with your website can lead to inaccurate data, fraudulent activity, and all sorts of other problems. Application developers have long relied upon email registration during the sign-up phase as a way to verify that a new user account is valid. And while email is an important method of user communication, and therefore you need to verify you have the correct email address, it’s a very poor indicator that the person is who they say they are, or even if the account is being opened by a person at all.

Think about it: How many email addresses do you have? How easy is it to get a new one? Many people choose email addresses that include their names, but anyone could create a similar email address. In fact, anyone could use your personal information when signing up for a new email account.

In comparison, how many phone numbers do you have? How much effort did it take you to get that number? Wireless companies go to great lengths to ensure your details are correct before signing you up for a contract.

When it comes to protecting businesses and end-users from fraudulent attacks, verifying with a phone number is a significantly better way to know that users are who they say they are. I’m surprised the FCC overlooked this fact.

pic 2: Phone Verification: Because Email Verification is No Longer Enough

Email or phone verification: what’s the difference?

Email verification checks the validity of an email address by sending an email that includes a link back to the website you are using. If you get the email and can click on the link, the application has confidence in associating that email with you.

Phone verification is similar. A simple code is sent via an SMS (or phone call) to the user, asking the user to re-type the code back into the application. If this process succeeds, there is high confidence the user has access to that phone number.

It’s important to verify a user has access to the email and phone numbers they give you; they are essential communication channels you will rely on. But email doesn’t say anything about the user other than they have access to it. Phone numbers, however, can be reliably used to reduce fraud and spam.

Even Google is not immune to flaws in their email verification process: a Google-friendly “white hat hacker” discovered that he could pose as a legitimate user by hijacking an inactive Gmail account. Since the account was no longer used by its original owner, the verification link was sent directly to the hacker. Not surprisingly, Google now uses phone verification in their new account registration process.

Protecting identity starts with knowing you are talking to a real human Creating email accounts is easy. Creating fraudulent phone numbers requires extra time, effort, and expense on the part of the cybercriminal. Compared with generating fake emails, buying and swapping SIM cards into devices isn't an economic or effortless choice. Even when Voice Over IP (VOIP) numbers allow for the mass creation of phone numbers, they can easily be identified and filtered out.

When you couple the increase in complexity for users acquiring phone numbers with the fact that in 2017 there are over 7.5 billion mobile phone subscribers and around 1 billion fixed line subscribers, it makes sense for businesses to verify users on the devices they use every day.

Taking phone verification to the next level, automatically

Making the move to add phone verification to your application is straightforward — but whatever you do, don’t try and build this all by yourself. A critical piece to successful verification is ensuring the codes get to the user and are, in fact, readable. It might seem to be a simple task, but you will need to purchase regional short-codes to avoid carriers marking your traffic as spam and blocking it (as recently happened in Canada). You will also need to localize the messages for global users.

Be aware that on Google’s Android mobile devices there is the ability to auto-consume the verification messages, but it requires development against the Google APIs and integration into your own mobile apps.

To make your life easier, all of this logic and more has been pre-built into the Twilio Verify API. Every time a carrier changes the spam rules we update our API to keep the delivery rates at optimum levels. When some carrier routes fail, we automatically choose new ones. Our team of engineers continually work to ensure the API is secure, operational, and up-to-date. In fact, we're so confident in the reliability of the API that our customers only pay for completed verifications.

The API features the following built in capabilities:

  • Fast to implement — just two API calls to /start and /check
  • Global coverage with optimized numbers per country
  • Automatically localized messages based on country code
  • Customizable code length and message content for maximum flexibility
  • SDK pre-integrated with Google’s SMS Retriever API

Highly trafficked and transactional-businesses rely on phone verification

It’s not a coincidence that tech giants like Facebook and YouTube have started using phone verification in their new user sign-up processes. They know it’s the best possible protection for their business and their customers.

Transactional websites like MercadoLibre, Latin America’s leading e-commerce site, and GO-JEK, the Indonesia-based Uber rival, rely on Twilio Verify to protect buyers and sellers by initiating a phone verification event when they see suspicious or unusual transactions. Likewise, EpicNPC, a leading online community forum and marketplace platform for gamers with over 540,000 members and sellers, uses phone verification to prevent unwanted scammers from accessing their site.

Regardless of industry, you can no longer rely on email addresses alone to verify that your new customer is actually a real customer. While email communication remains a mainstay for business communications, phone verification is the most secure and simple way to verify a user's identity and protect your app or service from data loss, fraud, and malicious attacks.

Learn more in our free ebook, “Mind Your Business. Strengthen Security and Reduce Risk With Phone Verification.” Download it now.