The following best practices are written with reference to the YCloud Verify API, focusing on describing the process of complete verification through the use of One-Time Passwords (OTP). However, many of the suggestions are applicable regardless of whether you use our service.
- Verification: A general concept that refers to the confirmation of a user's identity through various means.
- Multi-Factor Authentication (MFA): Includes Two-Factor Authentication (2FA) and similar terms, which require the user to provide two or more pieces of evidence (or factors) to gain access to a website or application. The factors that can be used for verification include account passwords, magic links, One-Time Passwords (OTP), biometrics (fingerprint, face, etc.), push authentication, etc. MFA is often used in login and payment confirmation scenarios as an additional security measure.
- One-Time Passwords (OTP): A specific method of verification that is widely considered a more secure method. It involves sending a message containing a verification code through SMS, Email, WhatsApp, or other messaging channels. The code is valid for a short period of time and can only be used once to verify a single login session or transaction.
YCloud Verify API provides a complete OTP solution that includes message sending and verification. You can easily integrate SMS, Email, Voice, and WhatsApp channels to quickly implement in-app registration, login, and MFA.
- Identity binding during registration: Verification is often an important step in establishing an online relationship with a user. By verifying a user's identity through phone numbers/email/social media accounts, invalid or fake registrations can be reduced while ensuring the user's safety.
- Passwordless login: Due to the vulnerability of traditional static passwords to attacks, more and more enterprises have switched to OTP or social media-based login verification, which provides a better login experience for users who don't have to remember complex passwords. This leads to reduced friction during login and more conversions.
- Multi-factor authentication during login: Many applications now require users to provide additional factors of verification after entering their password to add an extra layer of security.
- Account changes: Whenever a user forgets their password, the account can be recovered through some form of verification.
- Payment confirmation: Higher security is needed during payment, especially in most financial applications, where users need to undergo MFA before confirming any type of payment transaction. Additionally, if you operate in the EU, you need to comply with PSD2 by providing additional verification.
Ensure that the security verification process you add doesn't prevent users from achieving their goals, whether during registration or completing transactions.
Choosing the right verification channel and designing an efficient, secure, and cost-effective user verification process is a major challenge for international businesses.
YCloud's verification API integrates multiple channels for sending OTPs, which can be quickly integrated:
Each channel has its own advantages and disadvantages. Choose the appropriate verification channel based on the end user's country/region, such as using SMS as a priority verification channel in the US and Canada due to low cost and high delivery rates. In India, Indonesia, Vietnam, and other places, social media like WhatsApp or Zalo may be more suitable as a verification messaging channel, as they can improve your verification success rate and be more cost-effective.
Once the preferred verification channel is clear, consider providing backup verification channels. If you use SMS as the primary verification channel, at least ensure that voice or WhatsApp can be used as a backup when the user is unable to receive SMS.
In addition, many excellent companies design verification processes that support multiple verification channels and let users choose. For example, TikTok supports SMS verification, email verification, and social media verification.
Read more about the different verification channels in YCloud Verify API.
If your infrastructure or messaging channels are not secure enough, then your authentication will no longer be secure. Choosing YCloud as your channel provider is a wise choice, as it offers both robust security and reliable, fast delivery.
If the primary account for your application is a phone number, separate the country code and phone number input fields in the application interface, and store the phone number in standard E.164 format.
It is impossible to know what users may encounter at any given time, such as forgetting their password, losing their phone, or roaming abroad. When initiating verification, back up at least one other method of verifying the user's identity. Common combinations include:
- Password + SMS verification
- SMS verification + Voice verification
- Whatsapp verification + SMS verification
- Password + Email verification
However, every user is hard-won, and supporting more verification combinations can reduce friction for real users during the verification process.
When sending OTP messages via SMS, it is particularly important to use brand names or website names when registering the sender, rather than random numbers. This can give users a greater sense of security.
You can pre-register sender IDs for each country/region in YCloud
The complexity of OTP depends on the strings used, which can be letters, numbers, or both. Generally, OTP should be between 4 and 10 digits long, providing sufficient security while ensuring a smooth user experience.
Whenever sending an OTP message to a user, the verification code should be highlighted in the message. Ensure that the code is in the first line of the message, and consider bolding or highlighting it if sending the message via Whatsapp or email.
Although the core of an OTP message is a string of characters, some users still may not understand the key points. YCloud Verify provides pre-built verification message templates in multiple languages, ensuring that messages are compliant with local regulations and won't be filtered by carriers.
If a channel failure prevents a user from correctly receiving the verification message, the user may want to initiate a "retry."
However, to prevent malicious requests or impatient users, we recommend adding a verification request interval:
- 30s interval for the first retry
- Exponentially increase the time interval for subsequent retries or set the retry frequency
This will help:
- Avoid sending duplicate information to users.
- Reduce the possibility of malicious attacks.
After sending a verification message to the user, validate the code entered by the user with the pre-generated code, and follow these suggestions:
- Set the validation code's validity period to 5-10 minutes. It is not allowed to verify it again after the validity period has expired.
- Each verification code can only be used once. After verification, add a "verified" flag to the database.
- Limit the frequency of verification code verification to counteract brute force attacks.
YCloud Verify comes preloaded with the above strategies and supports customization, so you can focus on your business, leave the rest to us.
We recommend that you monitor the success rate of verification in real-time. If you find that the success rate of verification is rapidly declining or suddenly increasing in certain unexpected countries/regions, you should pay close attention to it, as it may come from some malicious attackers.
We recommend that you design some trigger alerts to remind you when certain abnormal thresholds are reached. YCloud Verify comes with built-in security warning triggers that you can easily configure on the interface to receive abnormal alerts.
Updated 8 months ago