I am implementing an SMS registration system for my Django project.
like Whatsapp or telegram messenger, users can register and login just with mobile number. and OTP code.
But i found a problem in my application.
when user enter his number, my app send an OTP to user with SMS. he can't request new OTP with SMS in less than 3 minutes. and a user can request totally 10 OTP with SMS in a day.
but if a hacker write a bot to enter different mobile number, my app can't detect that.
for example a bot that has a dictionary of 10000 mobile numbers, enter this numbers one by one. my app just send OTP with sms to 10000 different mobile number. and I will have to pay a lot of many to my SMS service provider.
how can i prevent from this problem? how messengers like Whatsapp solve this problem?
There are multiple things that you could do to prevent bot spamming. You could use captcha like recaptcha from Google or if you don't want any visible input you could take look at the honypot approach (Add a field hidden for normal users by css/js that bots will fill, if input is filled ignore form).
Other thing you could do is at a rate limit on the register/login page, there is a Django app that provides this https://github.com/jsocol/django-ratelimit.
Related
I'm planning to create an app and I do not want multi-account, is SMS verification the best way? I've thought with email verification, but for me it does not make sense since I can create fake emails and then sign up with that one. That's why I ended up thinking SMS verification could do the "trick", I know to avoid multi-account is hard, but I can avoid it with SMS because phone number is uniq.
I've been reading Firebase Phone-Auth, but I'm seeing I only can verify 10k users per month (free), from now is ok, but when growing it will be a problem, is there any other api to use OTP?
Edit
Is it safe to create my own service? Let's say this would be the flow.
User puts the phone number on Android phone
Android sends that phone number to server
Server uses an API to send SMS
Server knows then the SMS is sent or not, so it will store the code
Android receives the SMS (without permissions in manifest) then is sent to backend to do the verification
I am developing an app wherein the users use either email and phone to perform registration.
Users can enter their email or phone for log in, I want the same OTP to be sent to mobile and email simultaneously. Please Help!
If you want to work only with Firebase Authentication, then there is not any suitable solution that meets your requirement.
Some limitations you can find with Firebase are Firebase Authentication Limits and Phone number sign-in limits.
However the alternative solution is using third-party SMS gateway. through with you can send OTP to phone number as well as to email also simultaneously.
Lets assume you already have mechanism to generate OTP and verify OTP from android app.
Now the problem is how to send OTP to the user's email.
One of solution is using MailGun service to send email from your backend.
Also, if you want to templating your email, you can use library called handlebar
I am a little bit confused
I am working on an Android application, where the user has to create an account by entering his phone number.
We want to validate the phone number by sending a sms to the number with a unique hash, that must then be sent back to the server by the client to verify the number.
So far, straight forward...
But now we have some concerns about bots sending us registration requests with random phone numbers our server will then try to validate by sending them sms
As sending sms from the server costs money, that is an easy way to ruin us...
I hope we are missing something? Is there a way around this?
How do whatsapp/Snapchat prevent this?
EDIT: We do NOT want to use captchas to verify humans. Snapchat / Whatsapp do not use them either
I am making a messaging application and we need to verify the user mobile number by sending short code through SMS from users mobile(user will be charged for outgoing SMS ).
We are able to send sms and even able to verify but the message is going from user's name so how to change this user's name to custom name as it is done in whatsapp or other application.
DW-Whatsapp
AM-Telegram
Please advice.
I am using a free server of parse.com for my database
I need to verify phone number of user without spending any money, because I don't want to buy an sms gateway, or mobile no. verification by using miss call service.
Any idea?
How is sending verification codes to a user's email address going to verify their phone number? The only way to verify that a user owns the phone number that they're giving is to actually call or text it and have the user respond (usually by entering a one time passcode that's in the text message or spoken in the phone call).
Parse already supports e-mail verification, so if you want to do that then you can check it out here: http://blog.parse.com/2012/04/03/introducing-app-email-settings/
Some - but not all - mobile networks let you send SMS messages via e-mail address, but support for this is rather variable. For near-certain delivery and the best user experience you'll need to use a service that lets you send SMS messages through an API, such as Twilio.