Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Services (such as Twilo, Plivo, Nexmo) to verify phone numbers in Rails app

I'd like to verify phone numbers of user accounts in my Rails 4 app (by simply sending them a four digit pin number which they'll need to enter back into the app) - which services are available and which ones are the least hassle to implement into a Rails app?

I'd like to verify both mobile and landline numbers internationally, though my main areas will be Europe, the US & Canada, Australia and New Zealand (I am based in the UK).

like image 602
A4J Avatar asked Mar 04 '15 18:03

A4J


1 Answers

Your title lists three main SMS APIs, so for services available you already have a good understanding. But there are also APIs that focus exclusively on 2FA / Verification. Here is a list of some, worth noting that it tends to be focused on the user side of the equation (things like Google Authenticator).

Since you ask about ease of integration, a 2FA API (instead of an SMS API) may be far easier (you don't need to be concerned about generating a truly random OTP, or using voice fallback if the user does not respond to SMS, etc).

Nexmo (Disclaimer: I work there.) actually offers both SMS / Voice APIs, and a Verify API built on top of those lower level APIs.

With our Verify API (it's going to be similar regardless of the 2FA API) you'd make a call to https://api.nexmo.com/verify/json and pass along number and brand (to identify your app) parameters. The response will contain a request_id, and once the user provides your app with the code, you'll pass both the request_id and code to https://api.nexmo.com/verify/check/json.

So it's 2 simple API calls, and in the interim you associate the request_id with the user's session. Here's a quickstart on that process.

With Nexmo specifically, if enough time passes without the second API call, the code is sent again, this time with a voice call (or, if the number is a fixed line, just starts with voice).

With our SMS API (again, will be similar regardless of the API) first you'll generate a code - which may sound deceptively simple, if security is a concern you'll need to ensure that the generation is truly random.

Then you'll store the code and send an SMS. With Nexmo, that'd be a call to https://rest.nexmo.com/sms/json with the text of your message, the to and the from*. There's also security concern there because you're storing the code on the same server as it validating it. If that's compromised, the verification flow is as well.

Finally, you'll compare the user provided code to the code you stored.

So the least hassle really depends on you. Is it easier to make two API calls and avoid secure code generation / storage (and potentially get voice fallback for free)? Or DIY the code generation and reduce your integration to a single call to an SMS API?

like image 135
Tim Lytle Avatar answered Oct 23 '22 05:10

Tim Lytle