Best Practices

The following best practices are written with reference to the YCloud Verify API, focusing on describing the process of complete verification through the use of One-Time Passwords (OTP). However, many of the suggestions are applicable regardless of whether you use our service.

Verification, MFA and OTP

Verification: A general concept that refers to the confirmation of a user's identity through various means.
Multi-Factor Authentication (MFA): Includes Two-Factor Authentication (2FA) and similar terms, which require the user to provide two or more pieces of evidence (or factors) to gain access to a website or application. The factors that can be used for verification include account passwords, magic links, One-Time Passwords (OTP), biometrics (fingerprint, face, etc.), push authentication, etc. MFA is often used in login and payment confirmation scenarios as an additional security measure.
One-Time Passwords (OTP): A specific method of verification that is widely considered a more secure method. It involves sending a message containing a verification code through SMS, Email, WhatsApp, or other messaging channels. The code is valid for a short period of time and can only be used once to verify a single login session or transaction.

YCloud Verify API provides a complete OTP solution that includes message sending and verification. You can easily integrate SMS, Email, Voice, and WhatsApp channels to quickly implement in-app registration, login, and MFA.

Common Verification Cases:

Identity binding during registration: Verification is often an important step in establishing an online relationship with a user. By verifying a user's identity through phone numbers/email/social media accounts, invalid or fake registrations can be reduced while ensuring the user's safety.
Passwordless login: Due to the vulnerability of traditional static passwords to attacks, more and more enterprises have switched to OTP or social media-based login verification, which provides a better login experience for users who don't have to remember complex passwords. This leads to reduced friction during login and more conversions.
Multi-factor authentication during login: Many applications now require users to provide additional factors of verification after entering their password to add an extra layer of security.
Account changes: Whenever a user forgets their password, the account can be recovered through some form of verification.
Payment confirmation: Higher security is needed during payment, especially in most financial applications, where users need to undergo MFA before confirming any type of payment transaction. Additionally, if you operate in the EU, you need to comply with PSD2 by providing additional verification.

Balance security and user experience:

Ensure that the security verification process you add doesn't prevent users from achieving their goals, whether during registration or completing transactions.
Choosing the right verification channel and designing an efficient, secure, and cost-effective user verification process is a major challenge for international businesses.

Choose the right verification channel:

YCloud's verification API integrates multiple channels for sending OTPs, which can be quickly integrated:

SMS
Whatsapp
Voice
Email
Each channel has its own advantages and disadvantages. Choose the appropriate verification channel based on the end user's country/region, such as using SMS as a priority verification channel in the US and Canada due to low cost and high delivery rates. In India, Indonesia, Vietnam, and other places, social media like WhatsApp or Zalo may be more suitable as a verification messaging channel, as they can improve your verification success rate and be more cost-effective.

Once the preferred verification channel is clear, consider providing backup verification channels. If you use SMS as the primary verification channel, at least ensure that voice or WhatsApp can be used as a backup when the user is unable to receive SMS.

In addition, many excellent companies design verification processes that support multiple verification channels and let users choose. For example, TikTok supports SMS verification, email verification, and social media verification.

📘
Read more about the different verification channels in YCloud Verify API.

Choose a Reliable Service Provider

If your infrastructure or messaging channels are not secure enough, then your authentication will no longer be secure. Choosing YCloud as your channel provider is a wise choice, as it offers both robust security and reliable, fast delivery.

Input and Store Phone Numbers in E.164 Format

If the primary account for your application is a phone number, separate the country code and phone number input fields in the application interface, and store the phone number in standard E.164 format.

📘
How to build international phone number inputs in HTML and JavaScript

Add Additional Verification Options

It is impossible to know what users may encounter at any given time, such as forgetting their password, losing their phone, or roaming abroad. When initiating verification, back up at least one other method of verifying the user's identity. Common combinations include:

Password + SMS verification
SMS verification + Voice verification
Whatsapp verification + SMS verification
Password + Email verification

However, every user is hard-won, and supporting more verification combinations can reduce friction for real users during the verification process.

Use Brand Names for Messaging Channels

When sending OTP messages via SMS, it is particularly important to use brand names or website names when registering the sender, rather than random numbers. This can give users a greater sense of security.

📘
You can pre-register sender IDs for each country/region in YCloud

Use an Appropriate Length for the Verification Code

The complexity of OTP depends on the strings used, which can be letters, numbers, or both. Generally, OTP should be between 4 and 10 digits long, providing sufficient security while ensuring a smooth user experience.

The Verification Code is the Focus of the Message Content

Whenever sending an OTP message to a user, the verification code should be highlighted in the message. Ensure that the code is in the first line of the message, and consider bolding or highlighting it if sending the message via Whatsapp or email.

Use Language that Local Users Can Understand

Although the core of an OTP message is a string of characters, some users still may not understand the key points. YCloud Verify provides pre-built verification message templates in multiple languages, ensuring that messages are compliant with local regulations and won't be filtered by carriers.

Provide Logic for Retrying Verification Codes

If a channel failure prevents a user from correctly receiving the verification message, the user may want to initiate a "retry."

However, to prevent malicious requests or impatient users, we recommend adding a verification request interval:

30s interval for the first retry
Exponentially increase the time interval for subsequent retries or set the retry frequency

This will help:

Avoid sending duplicate information to users.
Reduce the possibility of malicious attacks.

Code Verification

After sending a verification message to the user, validate the code entered by the user with the pre-generated code, and follow these suggestions:

Set the validation code's validity period to 5-10 minutes. It is not allowed to verify it again after the validity period has expired.
Each verification code can only be used once. After verification, add a "verified" flag to the database.
Limit the frequency of verification code verification to counteract brute force attacks.
YCloud Verify comes preloaded with the above strategies and supports customization, so you can focus on your business, leave the rest to us.

Monitor the Success Rate of Verification

We recommend that you monitor the success rate of verification in real-time. If you find that the success rate of verification is rapidly declining or suddenly increasing in certain unexpected countries/regions, you should pay close attention to it, as it may come from some malicious attackers.

We recommend that you design some trigger alerts to remind you when certain abnormal thresholds are reached. YCloud Verify comes with built-in security warning triggers that you can easily configure on the interface to receive abnormal alerts.