I'm planning to create an app and I do not want multi-account, is SMS verification the best way? I've thought with email verification, but for me it does not make sense since I can create fake emails and then sign up with that one. That's why I ended up thinking SMS verification could do the "trick", I know to avoid multi-account is hard, but I can avoid it with SMS because phone number is uniq.
I've been reading Firebase Phone-Auth, but I'm seeing I only can verify 10k users per month (free), from now is ok, but when growing it will be a problem, is there any other api to use OTP?
Edit
Is it safe to create my own service? Let's say this would be the flow.
User puts the phone number on Android phone
Android sends that phone number to server
Server uses an API to send SMS
Server knows then the SMS is sent or not, so it will store the code
Android receives the SMS (without permissions in manifest) then is sent to backend to do the verification
Related
I need to trigger a notification on my Android app from firebase. Unfortunately, user USER1 in a remote area does not have an active internet connection.
Now I send SMS verification from another mobile ADMINUSER for USER1 mobile number and then, as a result, can I use it to trigger the notification? If I use ADMINUSER for 100 different numbers will firebase detect and stop admin User as fake request SMS verifier?
According to this link the method you propose would have major security flaws and there is no mention of Firebase blocking the device which would be used for making multiple requests.
I am implementing an SMS registration system for my Django project.
like Whatsapp or telegram messenger, users can register and login just with mobile number. and OTP code.
But i found a problem in my application.
when user enter his number, my app send an OTP to user with SMS. he can't request new OTP with SMS in less than 3 minutes. and a user can request totally 10 OTP with SMS in a day.
but if a hacker write a bot to enter different mobile number, my app can't detect that.
for example a bot that has a dictionary of 10000 mobile numbers, enter this numbers one by one. my app just send OTP with sms to 10000 different mobile number. and I will have to pay a lot of many to my SMS service provider.
how can i prevent from this problem? how messengers like Whatsapp solve this problem?
There are multiple things that you could do to prevent bot spamming. You could use captcha like recaptcha from Google or if you don't want any visible input you could take look at the honypot approach (Add a field hidden for normal users by css/js that bots will fill, if input is filled ignore form).
Other thing you could do is at a rate limit on the register/login page, there is a Django app that provides this https://github.com/jsocol/django-ratelimit.
I am a little bit confused
I am working on an Android application, where the user has to create an account by entering his phone number.
We want to validate the phone number by sending a sms to the number with a unique hash, that must then be sent back to the server by the client to verify the number.
So far, straight forward...
But now we have some concerns about bots sending us registration requests with random phone numbers our server will then try to validate by sending them sms
As sending sms from the server costs money, that is an easy way to ruin us...
I hope we are missing something? Is there a way around this?
How do whatsapp/Snapchat prevent this?
EDIT: We do NOT want to use captchas to verify humans. Snapchat / Whatsapp do not use them either
I am using a free server of parse.com for my database
I need to verify phone number of user without spending any money, because I don't want to buy an sms gateway, or mobile no. verification by using miss call service.
Any idea?
How is sending verification codes to a user's email address going to verify their phone number? The only way to verify that a user owns the phone number that they're giving is to actually call or text it and have the user respond (usually by entering a one time passcode that's in the text message or spoken in the phone call).
Parse already supports e-mail verification, so if you want to do that then you can check it out here: http://blog.parse.com/2012/04/03/introducing-app-email-settings/
Some - but not all - mobile networks let you send SMS messages via e-mail address, but support for this is rather variable. For near-certain delivery and the best user experience you'll need to use a service that lets you send SMS messages through an API, such as Twilio.
Our Android application is a Visual VoiceMail application which communicates with IMAP server to doownload voicemail mails and play it on user handset. As an autentication method application implements sending/receiving OOB SMS from this client. For sending SMS for this application we have following queries
Will our application be allowed to host on playstore as the application is supposed to send OOB SMS whitout letting the user know about it as it is a part of standard authorization method. In reply to this SMS server will response back to this client with an SMS over specific port which will have the credentials for user and client will start working.
If above is not allowed then what are the norms with which we can implement the same behaviour. Please not we cannot ask the user every time to allow sending messages from application.
Will it be ok if we take consent from user at the time of installation that this application will send authorization/validation messages from backend.
Any other suggestion and norms which we need to take care.
The Visual VoiceMail application is limited to users of a particular operator.
This SMS will not charge any cost to the user, It will be free.
Is this possible and allowed for application to be published on Google Play. If not, please suggest a way to achieve this.
Thanks in advance.