Why do apps with phone verification send the user a message, rather than have the user send one to them?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP





.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty margin-bottom:0;







up vote
1
down vote

favorite












Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:



  • Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount

  • A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)

  • Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure

  • Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?

  • It is not compatible with a desktop web version of the product

None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?










share|improve this question







New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
    – multithr3at3d
    1 hour ago










  • SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
    – usr-local-ΕΨΗΕΛΩΝ
    just now
















up vote
1
down vote

favorite












Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:



  • Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount

  • A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)

  • Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure

  • Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?

  • It is not compatible with a desktop web version of the product

None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?










share|improve this question







New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.



















  • Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
    – multithr3at3d
    1 hour ago










  • SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
    – usr-local-ΕΨΗΕΛΩΝ
    just now












up vote
1
down vote

favorite









up vote
1
down vote

favorite











Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:



  • Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount

  • A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)

  • Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure

  • Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?

  • It is not compatible with a desktop web version of the product

None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?










share|improve this question







New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:



  • Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount

  • A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)

  • Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure

  • Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?

  • It is not compatible with a desktop web version of the product

None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?







mobile multi-factor






share|improve this question







New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question







New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question






New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 1 hour ago









George Green

1084




1084




New contributor




George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






George Green is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











  • Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
    – multithr3at3d
    1 hour ago










  • SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
    – usr-local-ΕΨΗΕΛΩΝ
    just now
















  • Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
    – multithr3at3d
    1 hour ago










  • SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
    – usr-local-ΕΨΗΕΛΩΝ
    just now















Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
– multithr3at3d
1 hour ago




Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
– multithr3at3d
1 hour ago












SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
– usr-local-ΕΨΗΕΛΩΝ
just now




SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
– usr-local-ΕΨΗΕΛΩΝ
just now










1 Answer
1






active

oldest

votes

















up vote
5
down vote



accepted










It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.






share|improve this answer




















  • Yup, that sounds reason enough for me! Thanks for the response :)
    – George Green
    1 hour ago










Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "162"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






George Green is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193904%2fwhy-do-apps-with-phone-verification-send-the-user-a-message-rather-than-have-th%23new-answer', 'question_page');

);

Post as a guest






























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes








up vote
5
down vote



accepted










It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.






share|improve this answer




















  • Yup, that sounds reason enough for me! Thanks for the response :)
    – George Green
    1 hour ago














up vote
5
down vote



accepted










It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.






share|improve this answer




















  • Yup, that sounds reason enough for me! Thanks for the response :)
    – George Green
    1 hour ago












up vote
5
down vote



accepted







up vote
5
down vote



accepted






It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.






share|improve this answer












It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.







share|improve this answer












share|improve this answer



share|improve this answer










answered 1 hour ago









Mike Scott

6,7231328




6,7231328











  • Yup, that sounds reason enough for me! Thanks for the response :)
    – George Green
    1 hour ago
















  • Yup, that sounds reason enough for me! Thanks for the response :)
    – George Green
    1 hour ago















Yup, that sounds reason enough for me! Thanks for the response :)
– George Green
1 hour ago




Yup, that sounds reason enough for me! Thanks for the response :)
– George Green
1 hour ago










George Green is a new contributor. Be nice, and check out our Code of Conduct.









 

draft saved


draft discarded


















George Green is a new contributor. Be nice, and check out our Code of Conduct.












George Green is a new contributor. Be nice, and check out our Code of Conduct.











George Green is a new contributor. Be nice, and check out our Code of Conduct.













 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f193904%2fwhy-do-apps-with-phone-verification-send-the-user-a-message-rather-than-have-th%23new-answer', 'question_page');

);

Post as a guest













































































Comments

Popular posts from this blog

Long meetings (6-7 hours a day): Being “babysat” by supervisor

What does second last employer means? [closed]

One-line joke