20

I'm wondering how these sms-registration mechanisms work. I searched on the internet, but the problem is there are so much sms-providers which want to sell online-sms services, so i can't find anything...

Question: How does this work: Set your mobile number, and sent you an SMS with an otp. Put this password into the app.

What's behind? Do they have a sms-gateway or something like this? How much it costs?

Thanks

tcma13
  • 133
  • 9
eav
  • 2,123
  • 7
  • 25
  • 34

4 Answers4

16

Here's a simple phone number verification service built on top of Nexmo (disclaimer, I do a little developer evangelism for Nexmo). I think it's basically what you're looking for, the goal is to verify that a number actually belongs to a user (could also be used for 2nd factor authentication).

The basic integration for a mobile app (specifically for this example code, but a common flow):

  • Send the phone number to be verified, receive a unique hash.
  • The verification system sends a unique code to the user.
  • Once the user passes that code to your application, the original hash and the code are sent to the verification system to be validated.

You can drop out the hosted portion, and just take those steps inside your application (generate a code, send via a SMS API, check the code the user enters). However, there are a few things to consider at that point:

  • The credentials of the SMS API are compiled down into your distributed application. Is that something you want to risk?
  • The code is send via the network from the device; while SSL will stop casual observation of the code, someone who wanted to fake a registration could more than likely capture the code from the HTTP request.

Both of those issues are solved by putting the verification system outside the mobile application.

zoul
  • 102,279
  • 44
  • 260
  • 354
Tim Lytle
  • 17,549
  • 10
  • 60
  • 91
  • Does the client usually communicate directly with the verification system (e.g: Nexmo) or through another server? – lysergic-acid Jan 28 '14 at 13:36
  • 1
    @lysergic-acid Like I mention in the answer, the client *could* make the API requests directly to Nexmo, but it's better to use an intermediate server. – Tim Lytle Jan 30 '14 at 17:29
  • @TimLytle, hopefully this question is still relevant. You have described the initial authentication above. How do subsequent auth requests work? What credentials does the client need to send to the server each time, along with the message body? – crazy horse Jul 14 '14 at 18:22
  • @crazyhorse In this context you only do this once. After you've verified that the user controls the number (they prove that by receiving the providing the unique code), you persist that somewhere (their profile, for example). The process only repeats if you need to again verify they control that (or another) number. Similar to 2FA, but a different use. – Tim Lytle Jul 14 '14 at 19:25
  • @TimLytle Thank you Tim. If I understand it right, the scheme described applies ONLY to verify the user's phone number, and does not serve as a general API Auth mechanism from a devuce. So, for subsequent API calls made from the verified phone to the server, a completely different mechanism needs to be used (e.g.) generate a guid after phone is successfully validated and send this guid as part of server calls. Does this sound right? – crazy horse Jul 14 '14 at 20:52
  • 1
    @crazyhorse That's correct. In most cases you already have some kind of authentication of the user in place (they provided username / password, oath tokens, etc). The number verification step only verifies that the user actual controls a specific phone number. – Tim Lytle Jul 15 '14 at 17:57
  • But I also need a SMS Gateway for this? – Johnny2012 Apr 30 '15 at 11:13
  • In that example, Nexmo is the gateway. Nexmo also has a new verify API (essentially making that example part of the API): https://www.nexmo.com/verify/ – Tim Lytle Apr 30 '15 at 16:15
10

i know this post is too old, but this is for people that`ll visit this page in the future:

what the user "Harsh Shah" said is wrong..

you SHOULD NOT generate a random number on the device itself! this compromise the whole verification,

  1. you ask the user for phone number, send it to the server.
  2. as a response for that request, you generate a random number and save with the user number on there user records on db, and send SMS with that random number, the RESPONSE for the request should be SENT-OK, NOT-SENT.
  3. the device gets the SMS and send it back to the server to compare with the existed db record.

data exchange:

  1. phone sends('012345567')-> server respond('SENT-OK'); on background: server: [generate number, sends it in SMS, save in db for user 01234567, eg: 123123]

[phone reads the SMS eg as '123123']

  1. phone sends('01234567','123123')->server responds('AUTH-OK');

on background: server: [check db for record user 01234567, compare the random number generated in step 1 with the number the user sent).

if you generate the number in the user phone, any script-kiddie can hack your authentication by extracting this number from the memory/storage (so easy to do) and spoofing an sms containing it (super easy to do as well)... you might think this is a rare case, but this is a major hole in the security, you can authenticate yourself as any existing user and steal data from them if you do it the way "Harsh Shah" said...

tcma13
  • 133
  • 9
itai
  • 302
  • 5
  • 15
4

The basic fundamentals are :

  1. Generate a random code in your app on the device. Ask user for his mobile number.
  2. Send this code and mobile number to your application running on server.
  3. Call the sms gateway API to send the code as a message to the mobile number specified.

There are many SMS gateway providers. You can search on google. Most of them also provide a tutorial for using their API in various programming languages. The cost is mostly based on per message and generally they are to be bought in the form of package of number of SMSes.

androidFan
  • 611
  • 2
  • 19
  • 31
  • 1
    thanks. In addition, if somebody else reads this in future: nexmo.com is a very good provider.. – eav Sep 13 '12 at 09:43
2

This article explains how to integrate sms verification to your android app just like whats App.

Android adding SMS Verification Like WhatsApp – Part 1

Android adding SMS Verification Like WhatsApp – Part 2

enter image description here

Basically the following steps involves in verifying mobile number

  1. First user mobile number will be sent to our server where new user row will be created.

  2. Our server requests the SMS gateway for an sms to the mobile number with a verification code.

  3. SMS gateway sends an SMS to the user device with the verification code.

  4. The verification code will be sent back our server again for verification. Our server verifies it and activates the user.

Minion
  • 565
  • 1
  • 7
  • 23