Article updated: 30 May 2018
USER REGISTRATION: HOW TO VERIFY USER’S MOBILE PHONE NUMBER IN PHP + PRIVACY CONCERNS USING 3RD PARTY SERVICE
Today business models relies on security, both for user and provider of the service. This relationship is very fragile sometimes and open to various misuse and abuse. Additionally, when you enter SPAM and HACKING into an equation, the story becomes quite complex. So, everything boils down to this: can you trust something or someone? (a user, website, business…)
This leads us to today’s topic of a two-step mobile phone verification. There are two principle technologies which are used today to achieve this:
- SMS Gateways
- Call Gateways / “Missed Call” authentication
SMS gateways are self-explanatory, user interacts with an application form, which triggers the local server’s or 3rd party SMS gateway, which in turn sends a message which contains a secret code. User has a limited time and trials to enter a proper code in order to verify its identity and pass the registration procedure or gain other access to the system.
Missed Call authentication is a relatively new concept, surfaced as a simpler, obviously cheaper, and faster solution (since there are no potential SMS delivery delays involved). Also, the cost reduction is considerable, because there are no charges applied for sending SMS messages. All that is required from an end-user is to enter last few digits from a most recent call and that’s it!
MOBILE PHONE VERIFICATION – WHY AND WHY NOT?
Pretty ingenious, don’t you agree? However, there is a lower security of this system, mainly because if the service/company uses limited number of SIM modules which are used to contact users for verification purposes, those numbers eventually may get leaked and abused. Of course, if the count of used phone numbers is fairly high (500 ~ 1000+) and you limit failed registration attempts from a given IP in a given time frame, it can be pretty much safe for most applications. However, the risk still exists and should be noted, nevertheless.
However, arguments against mobile phone verification requirements could be several:
- For example, if you are running a commercial site for trading, shopping etc. valid phone numbers are at the best interest of users themselves, so providing a fake one counterfeits the entire purpose of trading. In this cases, validations could be just an unnecessary cost.
- Building trust among users does not start with intrusive registration procedures, unless your business model strictly requires it.
- Users are frequently intimidated with mobile number requests, since it is a highly personal matter. Opposition for registrations on such websites can be and is usually higher, which in turn reduces overall growth.
- Do you really need Two Factor Authentication on your website?
- And so on …
Sure, we can easily make any number of counter-arguments to the ones above, but let us leave it at there for now. You may even say that even the largest companies out there these days require valid cell-phones / mobile phones from users (Google, Facebook, Amazon… just to name a few). But, even if users are still unwilling to reveal their personal numbers to those companies, they are at least “big names” in today society, and have huge responsibility on their shoulders with such data. No, we are not trying to reduce importance of the matter itself, just trying to be objective and realistic how things “work” these days.
Which brings us to the ordinary, small, unknown company or website that you own and wish to incorporate such a “cool” feature.
PHP CONCEPT DESIGN USING 3RD PARTY SERVICE
IMPORTANT NOTE: Please, be notified that we are not affiliated with Cognalys in any way, neither advertising nor advising you against use of their service(s). We are discussing one option for phone verification from a conceptual/theoretical point of view and a decision whether you should or should not use their service(s) relies solely upon you and you alone.
Here we will present you a basic concept of a two-step mobile phone verification in PHP language using 3rd party service provided by a company named Cognalys from California (USA). The service incorporates two factor authentication via “missed call” last digits verification and provides both real mobile phone authentications and SPAM protections.
They are offering a very simple service for phone validation via “missed call” technique. In contrast to standard and more common SMS Gateways, instead of building a cost of sending actual SMS messages with secret verification codes, this technique relies on a much cheaper trick: enter few last digits of a missed call number.
COGNALYS MOBILE PHONE VERIFICATION
As we have already mentioned at the beginning of this article, here we will describe the basic conceptual idea how this could be done with PHP and 3rd party service provided by Cognalys. Please, be advised, that we haven’t tested this solution by ourselves, neither it is a complete and fully working code either.
For other CMS platforms (WordPress plugin, Drupal, Joomla) and languages (ASP, Java, Python), please check their website to find more information about it, including Android and iOS.
Create a new .php file inside your project’s working directory and start building a simple template test script:
<?php
// WARNING: THIS IS NOT TESTED & FULLY WORKING CODE
// THIS IS ONLY A CONCEPTUAL DESIGN / EXAMPLE HOW TO START
$accessToken = 'YOUR_ACCESS_TOKEN';
$appID = 'YOUR_APP_ID';
$mobilePhoneNumber = '01234567';
// First Step ( Request missed call )
$request = "https://www.cognalys.com/api/v1/otp/?access_token=".$accessToken."&app_id=".$appID."&mobile=".$mobilePhoneNumber;
// From here you process the json data
$json = file_get_contents($request);
You will get various responses if failed/success:
if success
{
“status”: “success”,
“keymatch”: “KEYMATCH_FOR_VERIFYING”,
“mobile”: “REQUESTED_MOBILE_NUMBER”,
“otp_start”: “STARTING_OF_OTP”
}
if failed
{
“status”: “failed”,
“mobile”: “REQUESTED_MOBILE_NUMBER”,
“errors”: {“ERROR_CODE”: “ERROR_MESSAGE” }
}
// Second Step ( Confirm Mobile number )
$response = "https://www.cognalys.com/api/v1/otp/confirm/?access_token=".$accessToken."&app_id=".$appID."&otp=".$missedCallPhoneNumber."&keymatch=".$keymatch;
// From here you process the json data
$json = file_get_contents($response);
?>
if success
{
“status”: “success”,
“message”: “SUCCESS_MESSAGE”
}
if failed
{
“status”: “failed”,
“mobile”: “REQUESTED_MOBILE_NUMBER”,
“errors”: { “ERROR_CODE”: “ERROR_MESSAGE” }
}
PRIVACY CONCERNS ABOUT MOBILE PHONE VERIFICATION
The main reason why we haven’t used and tested the above service is – our privacy concerns. Whenever you involve a 3rd party into your own business, the game rules change, for better or for worse.
You should always carefully study Terms of Use / Terms of Service in such cases, unless you wish to be suddenly surprised and taken off the guard, as was the very recent case with the sweetCaptcha (anti-spam service that started inserting ads in their captcha service – no longer exists).
In ToS of Cognalys you will, of course, find a statement that they will never sell verified mobile phone numbers to third parties, however, you will find some “juicy stuff” in there, nevertheless:
we may modify this Privacy Policy from time to time to reflect changes in our privacy practices
Of course, any lawyer will tell you that with above statement you technically agree to any terms of service in the future [if you continue to use the service, that is]. You can stop at any time, which will terminate/break the contract. However, what will happen to the already, previously collected data? Will the new terms apply to them retroactively? In theory and good practice, they should fall under old terms of use, but you should check with your legal staff first.
We may use Personally Identifiable Information, including call history, to provide products and/or services to you, administer sweepstakes and contests, enhance the operation of the Website and the services, improve our marketing and promotional efforts, analyze Website and service use, improve the Website and the services, and to tailor your experience with third parties as provided below in this Privacy Policy.
and
Authorized Third Party Service Providers. Cognalys may provide services and products through third parties. You also may elect to use one or more third party applications that integrate with our services. These “Third Party Service Providers” perform functions on our or your behalf. You or We may share your Personally Identifiable Information with such Third Party Service Providers to fulfill orders, move data in or out of the Cognalys, analyze data, provide marketing assistance, provide search results and links, operate the Website and the services, troubleshoot, and provide customer service. We may also collect personal information from individuals and companies (“Affiliates”) with whom we have business relationships and may share your information with Third Party Service Providers to accomplish our administrative tasks. We encourage Affiliates and Third Party Service Providers to adopt and post privacy policies. However, the use of your Personally Identifiable Information by such parties is governed by the privacy policies of such parties and is not subject to our control.
and
Release of Non-Personally Identifiable Information. We may disclose or share Non-Personally Identifiable Information with Affiliates and Third Party Service Providers, and Third Party Advertisers. For example, we may share aggregated demographic information (which does not include any Personally Identifiable Information) with “Third Party Advertisers” or “Third Party Advertising Companies.” We may use Third Party Advertising Companies to serve ads when you visit our Website or participate in our services.
They have already set some stones in the ground, clearing their path for the future (ab)use of the collected data. In part, these terms do sound a bit familiar, like with sweetCaptcha deal, mentioned earlier.
Of course, the falks who are the residents of California state in United States are little more protected by the COPPA act, which means that upon individual request Cognalys is obliged to provide following information:
1. The categories of Personally Identifiable Information we collect and what third parties we share that information with;
2. The names and addresses of those third parties; and
3. Examples of the products marketed by those companies.
Residents of EU (European Union) might expect even higher benefits with the pending GDPR Privacy Protection act, because the companies that collect any user data must provide a clear insight into what data is collected and how it is used, including deletion/removal of individual data upon user request (right to be “forgotten”).
CONCLUSION
It sure sounds nice in a way to have perfectly valid phone numbers from your registered users, but also may sound awful in another, depending on how you stand on user privacy matter. However, the main problem with above solution described is the “3rd party” side. If you / your company / your business alone is the one which collects the personal information from your users and use it according to your own Terms of Service, that alone would be simple, straightforward and fine. Alas, incorporating 3rd party side into the story entirely changes the game, remember?
Any 3rd party doing this type of service operates at very low cost levels (since missed mobile phone calls are usually not charged, unless someone accidentally answers the call during the short period of ringing). Additionally, they will collect a vast amount of useful information that could be interesting to various parties. And, all that is covered in their ToS.
If you run a business within EU or your company deals with clients which are residents of EU, you must comply with new GDPR privacy policy act:
- First and foremost, you must get a clear consent that their phone may be processed by a 3rd party before/during registration procedure.
- You must provide your users all the personally identifiable data upon each individual request.
- You must even delete them from your database upon request, but that will be harder if 3rd party is involved storing PI data such as phone number(s).
This will add another complication (and cost), and you must closely work with any 3rd party business that you share this data with. Of course, 3rd party side must provide means for easy access of such information, but also protect it from unauthorized access to others.
Also, worth noticing is the fact that users may use short-term, disposable “burner” phones and SIM cards (as seen in many recent spy TV shows) which will be used temporarily (e.g. only once) to register an account, and later just be thrown away. Now, who can verify and protect you against such practice? Of course, this would be prohibitively expensive for spamming purposes, but for other scams and what not, still a viable solution.
Again, we do not wish to speculate or perform any false accusations of anyone on any matter beforehand, but these are the facts that you should be pretty much aware of when using other services along your own business. Carefully study ToS agreements and pay attention to any changes in the future.
Of course, the best solution for this, if you really have a necessity for one, would be to develop your own system and incorporate it directly into your application, but that would mean more development time, more cost, more everything. And all this for a single goal: the unbeatable price of user privacy.