Why do apps with phone verification send the user a message, rather than have the user send one to them?
Clash Royale CLAN TAG#URR8PPP
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;
up vote
1
down vote
favorite
Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:
- Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount
- A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)
- Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure
- Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?
- It is not compatible with a desktop web version of the product
None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?
mobile multi-factor
New contributor
add a comment |Â
up vote
1
down vote
favorite
Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:
- Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount
- A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)
- Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure
- Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?
- It is not compatible with a desktop web version of the product
None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?
mobile multi-factor
New contributor
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
â multithr3at3d
1 hour ago
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
â usr-local-ÃÂèÃÂÃÂÃÂéÃÂ
just now
add a comment |Â
up vote
1
down vote
favorite
up vote
1
down vote
favorite
Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:
- Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount
- A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)
- Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure
- Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?
- It is not compatible with a desktop web version of the product
None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?
mobile multi-factor
New contributor
Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:
- Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount
- A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)
- Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure
- Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?
- It is not compatible with a desktop web version of the product
None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?
mobile multi-factor
mobile multi-factor
New contributor
New contributor
New contributor
asked 1 hour ago
George Green
1084
1084
New contributor
New contributor
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
â multithr3at3d
1 hour ago
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
â usr-local-ÃÂèÃÂÃÂÃÂéÃÂ
just now
add a comment |Â
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
â multithr3at3d
1 hour ago
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
â usr-local-ÃÂèÃÂÃÂÃÂéÃÂ
just now
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
â multithr3at3d
1 hour ago
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
â multithr3at3d
1 hour ago
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
â usr-local-ÃÂèÃÂÃÂÃÂéÃÂ
just now
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
â usr-local-ÃÂèÃÂÃÂÃÂéÃÂ
just now
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
5
down vote
accepted
It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
5
down vote
accepted
It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
add a comment |Â
up vote
5
down vote
accepted
It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
add a comment |Â
up vote
5
down vote
accepted
up vote
5
down vote
accepted
It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.
It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.
answered 1 hour ago
Mike Scott
6,7231328
6,7231328
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
add a comment |Â
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
Yup, that sounds reason enough for me! Thanks for the response :)
â George Green
1 hour ago
add a comment |Â
George Green is a new contributor. Be nice, and check out our Code of Conduct.
George Green is a new contributor. Be nice, and check out our Code of Conduct.
George Green is a new contributor. Be nice, and check out our Code of Conduct.
George Green is a new contributor. Be nice, and check out our Code of Conduct.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193904%2fwhy-do-apps-with-phone-verification-send-the-user-a-message-rather-than-have-th%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
â multithr3at3d
1 hour ago
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
â usr-local-ÃÂèÃÂÃÂÃÂéÃÂ
just now