Compared to using CAPTCHA, would using a phone number to prevent spam/bots improve the user experience.
I'm building an ecommerce app that does not require a user to create an account, when a user writes a product review they enter there phone number and a verification code is sent which the user sends back so that the review is successful.
It is not typical to use CAPTCHA for a app login. The better UX for app users is to get the phone number and send a verification code to authenticate if the request is coming from a real user. When an SMS arrives it normally shows up at the top (on notification window) which shows the verification code at the top. So the user doesn't even have to switch the app to read the verification code in SMS. All he has to do is wait until the SMS arrives and key in the code in your app.
There are several SMS verification API providers available to make it easy for sending out verification code.
I have used Nexmo Verify API before which makes it easy to generate the code and completes the verification.
Related
I am developing a cross platform Xamarin application that uses Google's SMTPClient to send order confirmation emails in the app directly, following this tutorial: https://www.c-sharpcorner.com/article/xamarin-forms-send-email-using-smtp2/
Emails have been sending without issues during the development of the app, while testing on only a couple of devices in house, but now that I go to release it to 20+ different devices with different IP addresses, none of the emails are sending and the app is crashing. When I login to the google account that is used to send the emails, I am confronted with: "Critical Security Alert. Suspicious attempt to sign in with your password", each time a crash occurred.
I have third party access enabled, but it seems like Google is still not allowing the user to send emails from new devices with new IP Addresses. How can I get around this?
I appreciate any help I can get.
I submitted the consent screen with some Sensitive scopes (classroom.courses etc) around more than 1 month back and after 1 day i get the message from google that i have to verified the domains so i complete the verification process of domain and submit it again after 2 days. Till now my consent screen is not verified. In OAuth consent screen verification page it shows just this text 'Your consent screen is being verified. This may take up to several days. Your last approved consent screen is still in use' but didnt mention any time frame.
Anyone know from where i get the status of this verification process. It is mentioned that it will takes some weeks if the apps uses some sensitive scopes but still after 5 to 6 weeks i didn't get any notification from google.
You should receive an email from Google with the subject "OAuth Verification Request" stating that your project has been successfully verified. However, in all my cases for Android/iOS projects I first received an email asking me to create a video on YouTube demonstrating the use of the sensitive scopes in the app. After I created that, approval arrived in a few days.
For one of my projects, I never received any email update so I just made some small change to Oauth screen and resubmitted. I then heard back in a few days, so I think for some reason the one verification request got lost.
You can also try respond to the first email you received from google regarding the verification of the domain.
I have to perform load test on a Sign UP API using Jmeter.
Sign Up asks for:
valid cell # where system sends SMS code for verfication
Valid Email address where user receives a link for verification
Can any one help for this scenario.
Thanks in advance.
It might be tricky, however you can consider a 3rd-party application like Spikko or 2nr and use mobile automation framework like Appium from JSR223 Test Elements in order to get SMS text from the mobile application. If you don't have a real phone you can use an emulator like Bluestacks or Genymotion
For email it is way easier, JMeter comes with Mail Reader Sampler so you can fetch an email from any real box and extract confirmation URL from there, check out How to Create a JMeter Script to Check Email During Registration AND Grab the Confirmation URL for more details.
You probably should use JDBC Request and get from DB the code/link sent.
But if it's not possible, for email you can concatenate to same gmail +${UUID()}. Gmail at least support sending to same mail if have different suffix:
Here are two different ways you can modify your Gmail address and still get your mail:
Append a plus ("+") sign and any combination of words or numbers after your email address. For example, if your name was hikingfan#gmail.com, you could send mail to hikingfan+friends#gmail.com or hikingfan+mailinglists#gmail.com.
I wanted to verify phone numbers before using them for communication with registred users. However, I am unclear If I'm doing it securely. i.e
Steps I'm taking:
Ask user for phone number
Send SMS verification code
User enters Code
Code verified using SMS Service(Sinch or/Twilio)
correct code triggers callback function(client side) that adds the number to backend Database
Incorrect code does nothing
My concern is step 5. Should I have the success callback function perform the number save on client side or should I trigger some backend(server-side) function that performs the save operation?
So with sinch it works like this, all the steps 1 to 6 is correct on the client.
side,
But step 5/6 is more like this
5 Client enters code and send it to Sinch Backend
- Return to client with Success or Fail (do ui logic)
- Make a callback to your server with status, take action if correct or incorrect.
So the code is never in your possession, injecting the add to database on client side not possible, since you can get Success to the client and then in the client reload you data from your backend that has been updated by the server to server method. Makes sense?
https://www.sinch.com/docs/verification/rest/#howtousetheverificationapis
Twilio developer evangelist here.
I'd definitely do the code verification on the server side and then if that is successful save the number to the database. Any verification and success callbacks on the client side could surely be bypassed by an attacker with knowledge of JavaScript.
Rather than using Twilio directly for this, might I suggest you check out Authy's phone verification API. Authy is part of Twilio, but is more specific to verification and two factor authentication workflows.
I'm not sure what your backend is written in, however there are tutorials for verifying a phone number with Authy on the Twilio site. We have examples in Node, Ruby, Python, .NET, PHP and Java.
I'm not sure if this helps at all. Let me know if you have any other questions.
Am currently developing a web application using Laravel. I have been using twilio trial account to send messages to just one verified phone number and now I want to launch the application and be able to send sms to any phone number filled on the registration page and send an sms to the user after successfully registration. How do i do this to accomplish my task and move on because I am stack and don't know what to do...
I believe Twilio has a limit on whitelisted numbers during the trial period.
Many SMS Gateway providers do this to prevent spammers.
Nexmo, where I work, has an SMS API allows you to easily send SMS messages to phones in over 200 countries.
The API is extremely reliable, safe, & easy to integrate in your application.
All you need to do is make a simple HTTP call.
After signing up for the free trial, there will be a screen in the dashboard where you are allowed to enter up to 10 whitelisted numbers during the trial phase.
Once you top up (reload your account with funds), this restriction is lifted.
Here is some more information on how to integrate it the SMS API with PHP