March 18, 2020
You’ve put countless hours into the development of your application, an impressive interface and enjoyable user experience. Now go the extra mile by offering secure transacting too. A simple username and password combination is no longer enough to keep your users safe, as fraudsters are now targeting mobile apps.
Users are enjoying music, messaging, recipes and more on their phones, so it makes sense to keep verification in the same place, with something they carry on them all the time. Authenticate transactions – for example, purchases or password changes – with an OTP sent via SMS.
Why phone verification? Users tend to have the same phone number for years and phone numbers are difficult to fake. If you are aiming your app at an international audience, an authentication API teamed with a reputable SMS gateway makes it easy to communicate with any user, anywhere, in any language. You can also set OTPs to expire within a few minutes or hours, which means fraudsters can’t reuse them. It’s easy to copy and paste a password into an app to authorize an interaction. Finally, SMS authentication is cost effective too – no additional hardware is required.
Each app is different and you need to think about the touch points or data that could put your app at risk. If you were a hacker, what would be the information you could be after – aside from obvious things like login information and credit card details? For example, if your app gathers photos or sensitive health information, consider how you can put extra security controls in place to protect those assets.
Sign up: Users don’t access their account dashboard as frequently as they might on a desktop computer so you need to ‘catch’ them at sign up. Be sure to ask for a mobile number up front – explaining that this will be used for verification purposes – then verify their identity via SMS on their very first sign-up attempt.
Logging in on a new device: If a user accesses an account from a new tablet for example, or a new IP address, ask for additional verification.
Resetting passwords: One of the most common ways for hackers to get into user accounts is through phishing emails, so it’s a good idea to verify a new password with an SMS OTP.
Certain account changes: There are certain updates a user can make that could put their information or billing at risk – for example, adding a beneficiary or upgrading to a pricier payment level. Flag these and add extra verification steps.
Payments: Whether a user adds a new credit card, activates one-click payments or even each time a payment is made (or loyalty points are used for payment), you could ask for extra verification to give them additional protection.
By offering data encryption, payment gateway verification (such as Verify by Visa) and SMS two-factor authentication, you’ll be in a strong position to safeguard your users from fraud. SMS two-factor authentication is cost effective, relatively easy to implement and works on a global scale.
Take a look at Clickatell’s authentication API for WordPress, with simple instructions on how to add two factor authentication to your application.