Effective phone number verification

Posted by Steven Soneff, Identity Product Manager

To build apps that make use of phone numbers, it’s often crucial to verify that
the user owns a number. Doing this can be tricky from a UX perspective, not
least in understanding phone number formats in different locales, but also in
providing a verification mechanism that isn’t cumbersome or using intrusive
device permissions, such as the ability to read all of a user’s SMS.

There are many libraries for efficient pre-built phone authentication, such as
Firebase Phone Auth, but if
you are an advanced developer and need to build this functionality yourself,
Google Play Services has two new APIs that help you obtain a user’s phone number
and verify it via SMS without device permissions: the Phone
Selector
and SMS Retriever. Apps like Flipkart
have seen a 12% increase of success rates in phone number sign-up flows using
these methods.

The
steps
for using these with your server can be seen here:

In this post we’ll show the code that you need to provide a phone number
selector to your users, and then use this with the SMS retriever API to request
a verification code from your server that the Android device will automatically
receive and parse with no input from the user.

Note: Before you begin you’ll need to build and test this is a
device with a phone number that can receive SMS and runs Google Play services
10.2.x and higher.

Using the Phone Selector to get the number

The first step is to have the user initiate SMS verification from within your
app. Your app might prompt the user to enter a phone number, and you can use the
Phone Selector to make this easier, using code like this:

// Construct a request for phone numbers and show the picker
private void requestHint() {
    HintRequest hintRequest = new HintRequest.Builder()
           .setPhoneNumberIdentifierSupported(true)
           .build();

    PendingIntent intent = Auth.CredentialsApi.getHintPickerIntent(
            apiClient, hintRequest);
    startIntentSenderForResult(intent.getIntentSender(),
            RESOLVE_HINT, null, 0, 0, 0);
}

The HintRequest builder tells Play Services that a phone number identifier is
needed. This is then used to create and start an intent, which will show a Play
Service dialog to the user allowing them to select their phone number to share
with the app. This API does not require any permissions, and displays the
number(s) available on the phone or Google Account for the user to select.

When the user selects a phone number it will be returned to the application in
onActivityResult in E164
format
on devices running the latest version of Play Services. Note that in
some cases, depending on your phone, you may not get a phone number, so be sure
to check if the credential is non-null. If you don’t have a number, you’ll need
to provide a way for your user to type it in manually.

// Obtain the phone number from the result
@Override
public void onActivityResult(int requestCode, int resultCode, Intent data) {
  super.onActivityResult(requestCode, resultCode, data);
  if (requestCode == RESOLVE_HINT) {
      if (resultCode == RESULT_OK) {
          Credential credential = data.getParcelableExtra(Credential.EXTRA_KEY);
          // credential.getId(); <-- E.164 format phone number on 10.2.+ devices
      }
  }
}

At this point you’ll have a phone number string for your user. While this is
useful, you’ll likely want to verify that the user owns this particular number,
for example to allow them to send or retrieve message with other users or
identifying themselves with this number.

Using the SMS Verification API to verify the number

A simple way to verify phone number ownership is by sending an SMS to the
number, containing a one time verification code, and having them enter that into
your app. The SMS Verification API gives you the ability for the app to listen
for an incoming SMS from which it can parse the code automatically.

To get started, your app will SmsRetrieverClient
with code like this:

SmsRetrieverClient client = SmsRetriever.getClient(this /* context */);

Task<Void> task = client.startSmsRetriever();

task.addOnSuccessListener(new OnSuccessListener<Void>() {
  @Override
  public void onSuccess(Void aVoid) {
    // successfully started an SMS Retriever for one SMS message
  }
});

task.addOnFailureListener(new OnFailureListener() {
  @Override
  public void onFailure(@NonNull Exception e) {
  });
);

It’s pretty simple — you get an SMS Retriever client and then start a task for
it. The task has an on Success listener as well as an on Failure one to
override. After starting the SMS Retriever, you’d send the user’s phone number
to your server and start it’s workflow for generating the message and sending it
to that number.

The message needs to be constructed in a specific way. The message must fit in
an SMS message, so it can’t be longer than 140 bytes. It needs to start with a
specific prefix: ” or two consecutive zero-width space characters (U+200B).
See the documentation
for your more information. It must end with an 11-character hash that identifies
your app, described below.

Example:

Use 123456 as your verification code in Example App!

FA+9qCX9VSu

The one-time verification code can be any string: you can simply generate a
random number. The message needs to end with a hash that is determined according
to the procedures here.
Google Play services will use this hash to determine which app the verification
message is for. You only need to generate this hash once for your app package
and signing certificate: it won’t change and shouldn’t be supplied by the client
app.

Your server can then send the message to the phone using your existing SMS
infrastructure or service. When this message is received, Google Play services
broadcasts an intent which contains the text of the message. Here’s the code:

public class MySMSBroadcastReceiver extends BroadcastReceiver {

  @Override
  public void onReceive(Context context, Intent intent) {
    if (SmsRetriever.SMS_RETRIEVED_ACTION.equals(intent.getAction())) {
      Bundle extras = intent.getExtras();
      Status status = (Status) extras.get(SmsRetriever.EXTRA_STATUS);

      switch(status.getStatusCode()) {
        case CommonStatusCodes.SUCCESS:
          String message = (String) extras.get(SmsRetriever.EXTRA_SMS_MESSAGE);
          break;
        case CommonStatusCodes.TIMEOUT:
          break;
      }
    }
  }
}

In the onReceive of the broadcast receiver you get the extras, and pull the
status from there. If the status indicates that the message was successfully
received, you can pull the message from the extras. From here you can parse out
the verification code and send it back to your server to confirm phone number
ownership.

For more information, check out the full documentation
and this year’s Google I/O
talk
.

Testimonies of Early Adopters

Our early partners who use this API love it. Here are some testimonials from
them:

Twilio
observed and blogged that Android SMS Verification has never been easier.

“If you’re a developer building mobile apps on Android that use phone
numbers to register and identify user accounts, you should be using Twilio
Verification SDK for Android for the quickest way to solve the problem of
providing a smooth, secure and easy sign-up flow.” – Simon Thorpe, Product
Owner at Twilio

Authy
loved the fact that these APIs work with their existing SMS infrastructure
without requiring many changes.

“Adding Phone Selector + SMS Retriever into Authy 2FA app delivers magical
UX for users while retaining the high security our application requires.” —
Serge Kruppa, Head of Authy Engineering

Telesign
observed better UX, increased security and higher conversion rates with the same
backend framework.

“One significant advantage of this verification mode with lower friction is
that customers might be able to see increased conversion rates for user sign-up
and registration scenarios.

Enhanced security is also a benefit as Google Play Services only provides
access to the SMS message to the targeted application based on the application
hash inside the message.” — Priyesh Jain (Post author)

Pixel

#teampixel heads to the Big Easy with Pixel 2

With Google Pixel 2 hitting the streets soon, we’re excited to see what new photography fills the #teampixel feeds in the coming weeks. In the meantime, we visited New Orleans, LA, with Timothy McGurr who captured some of the city’s unique quirks and characters for a recent shoot, Pixel 2 in tow.

Check out his lovely photos—all of which are in their natural state with absolutely no retouching, no attachments and no other equipment. Because let’s face it…New Orleans is best experienced unfiltered.   

  • IMG_20170912_161108_1.jpg
  • IMG_20170913_130326_1 (1).jpg
  • IMG_20170912_192809_1.jpg
  • IMG_20170913_192328_1.jpg
  • IMG_20170914_202232_1.jpg
  • IMG_20170912_222553_1.jpg

coverage

Threat Round Up for Oct 6 – Oct 13

Today, Talos is publishing a glimpse into the most prevalent threats we’ve observed between October 6 and October 13. As with previous round-ups, this post isn’t meant to be an in-depth analysis. Instead, this post will summarize the threats we’ve observed by highlighting key behavior characteristics, indicators of compromise, and how our customers are automatically […]

Adobe MAX Segment

Creating a Digital Animation Identity on Chelsea

Katherine Isabelle Weber, a graphics producer on the Netflix talk show Chelsea, uses Adobe Character Animator to incorporate fun, animated characters into the show.

#financialservices

Live CiscoChat October 17th — The Path to Digital Leadership in Financial Services

Join us Tuesday, Oct. 17 1 p.m. EST for a #CiscoChat with Lou Celi CEO of Roubini Thoughtlab for a discussion on digital leadership in financial services.

access point

Friday Wrap-up – Spiceworld and IT-SA

Watch some of our Cisco Small Business FindIT Demonstrations we did at Spiceworld 2017!

Adobe MAX

A New Solution for High End Workstations – Presented by 2017 MAX Sponsor, AMD

The Radeon™ Pro WX 9100 card is AMD’s flagship workstation graphics solution based on the revolutionary “Vega” GPU architecture.  Begin accelerating your workflows using technologies like the High Bandwidth Cache Controller (HBCC), a radically new GPU memory hierarchy that pushes new frontiers in real-time visualization with hyper-realistic rendering techniques. 

After Effects

Filmmaking Team Delivers Panoramic, 6K Experience in 6 Below

Learn about the workflow behind Director/Editor Scott Waugh’s latest film 6 Below: Miracle on the Mountain. The inspirational true story was edited in 6K native using Adobe Premiere Pro.

Adobe MAX

Unlocking the Power of Creative Energy With Dropbox

Productivity is good—but it’s not why we work. It’s not what gets us out of bed in the morning. It’s not what drives us to try something exciting, to make something new, something we love, something that lasts.

Adobe MAX

Design Your Own Adventure with Airstream

What would it look like to have your designs featured on the exterior of one of our iconic travel trailers? It’s time to find out.

cybersecurity

An IT Security Top 5 from the University of Oklahoma

The University of Oklahoma focuses on cybersecurity year round, but National Cyber Security Awareness Month provides an opportunity to drive action with users and highlight their IT Security Top 5.

Accessibility

Samsung Removes Restrictions with Improved Smartphone Accessibility

The white cane is an important aid for many blind and visually impaired people around the world to help them go about their daily lives. In addition, the tool

Google Assistant

Ok Google, let’s get spooky

It’s Friday the 13th and just a couple weeks ‘til Halloween. Whether you’d prefer to hand out candy, dress like a pirate or scare yourself silly, your Google Assistant can help you get in the spooky spirit:

halloween

🤖 “Ok Google, what should I be for Halloween?”

🎃 “Ok Google, get directions to the nearest pumpkin patch”

👹 “Ok Google, how do I get rid of monsters?”

🍬 “Ok Google, add Halloween candy to my shopping list”

🙀 “Ok Google, scare me” 

👻 ”Ok Google, let’s get spooky” (this one sets the Halloween vibe, with spooky music and flickering smart lights)

May all your Halloween dreams—or nightmares—come true. Happy (almost) Halloween!

Diversity

How an X program manager writes her own history and preserves her Ecuadorian legacy

In honor of Hispanic Heritage Month, we’re celebrating the fascinating stories and important contributions of our Hispanic Googlers—their histories, their families, and what keeps them busy inside and outside of work. Today we hear from Gladys Karina Jimenez Opper, an audacious moonshot catalyst and collector of world experiences, whose curiosity rivals Nancy Drew’s.  

gladys edit

What is the 10-second explanation of your job?

I am a Program Manager at X—I plan and execute internal projects that support the launch of moonshot technologies that we hope will one day make the world a radically better place.

What does Hispanic culture and heritage mean to you?

No matter your ethnicity, country of origin, or language, we all have a cultural heritage—a history written by those who came before us and a standing legacy for those yet to come. Culture represents our innate desire for community; a social framework that connects us to people with whom we share something in common. Heritage is generation-upon-generation of cultural experiences passed on by our parents, forefathers, and their ancestors before them, and traditions are the way we pass that heritage down. Sometimes preserved in song or in dance, food or artifacts, our cultural heritage and traditions keep our past, present and future connected at all times.

What is your favorite cultural tradition?

Dinner is always better when we eat together! Family dinners are a tradition in my household. Growing up, my great-aunt Emilia (“Mami Mila”) would cook the most heavenly dishes and no one was allowed to start dinner until everyone was present at the table. You usually don’t think of food when you think of mindfulness, but a shared meal is an extraordinary way to cultivate connection, allowing us to be present for ourselves and hold space for each other.

When did you (or generations before you) immigrate to the U.S.?

I was born in Ecuador. My parents were born in Ecuador. My grandparents were born in Ecuador. And that history goes back as far as we’ve been able to trace. When I was three years old my parents decided to move to the United States in pursuit of our American dream—it was surely the most difficult decision they ever had to make.

Tell us a bit about how you got to where you are today, and who helped you get there.

Knowing where I come from is a key part of knowing who I am and what I stand for. It helps me stay rooted and centered no matter the circumstance.

As a kid, many people disparaged my dreams of attending college. They would tell me,“Those things don’t happen to people like us,” but my parents encouraged me to persevere, work hard and retain hope. I was valedictorian of my high school class and attended Stanford University, where I graduated with both undergraduate and graduate degrees.

A couple of years later, I decided to pursue my dream of working at Google. My parents and husband continuously reminded me of the power and strength of conviction. Even the most audacious dreams can come true if you believe in yourself and work relentlessly toward your goal. That’s true at X too. What some deem impossible, we see as an opportunity to create impact. Not a bad fit for me at all.

What has been an important moment for you at X?

Important moments arise in everyday interactions; I am continuously humbled by the brilliance, kindness and generosity that surrounds me. And that’s more meaningful than one specific moment. “Meraki” is a Greek word for “doing something with soul, creativity, or love,” and that describes my colleagues, partners and friends at X. Every day is an opportunity to present a different perspective for our projects and products, to exemplify leadership, camaraderie and compassion.

  • fullsizeoutput_2e24.jpeg

    High school graduation, valedictorian speech.

  • fullsizeoutput_2e28.jpeg

    College graduation day! This is a photo of my parents by my side the day I graduated from Stanford University. Si se puede. Yes we can. 

  • unnamed.jpg
    Here is a photo of my parent’s first Google “Take Your Parents To Work Day.” It was such a memorable day filled with riding Google bikes, enjoying yummy Google food, collecting Google souvenirs and the opportunity to experience being a Googler for a day (massage chairs included). They were so happy!
  • 20170506GI4942 copy.jpeg
    No matter how difficult the obstacle, I know that I do not stand alone. Here is a photo of mi gran familia.

Android enterprise

How Android helped Dalmia Bharat go digital and grow their business

Editor’s note: Today’s post comes from Sunil Tewari, Head of Technology and Business Services for Dalmia Bharat Group, one of India’s largest cement manufacturers. Read how Dalmia Bharat Group uses Android to increase sales, optimize cement delivery, and better connect their workforce.

Dalmia Cement is a leader in the Indian cement industry, producing over 9 million tons of cement for its customers every year. Founded as a division of the Dalmia Bharat Group in 1939, we’ve consistently innovated our manufacturing and production processes, pioneering specialty cements used for oil wells, railway sleepers, and air strips.

We’re quick to embrace solutions that make our business more efficient and responsive for our customers. So when it came to mobility, we turned to another powerhouse of innovation—Android. Our analog record-keeping system wasn’t keeping up with our needs: our customers are spread far and wide across India, so many of our employees spend their work hours largely on the road, making sales calls and deliveries. We have between 15,000 and 18,000 trucks delivering cement to cities and remote areas, and 600 sales representatives visiting customers every day.

In a business that relies on strong personal relationships between sales reps and customers, keeping track of contacts, purchases and deliveries with so many employees while on the go is difficult. Sales reps need to be able to get information quickly while they’re at a customer site or in the office. Managers need to make sure drivers are taking the quickest delivery route to where the customers are. And we need to track successful deliveries so we know when to bill the client.

Dalmia Android team

To make all of this a smoother process, we built three Android apps so that sales reps, dealers, and truck drivers could have the information they need most at their fingertips. Our SM@RT-D app gives our sales force the ability to place and track orders. Our SUVIDHA app is used by customers to place orders without needing to contact the sales team, and DriverSathi tracks deliveries and makes billing more efficient.

Android’s secure and flexible platform was the right choice for our company’s apps. We were able to build and deliver apps to our team in six weeks, which are used by more than 4,000 employees and customers.

We are using the Enterprise Mobility Management capabilities in G Suite to manage the devices we provide for our sales force. Employees can also bring their own devices to access resources like Gmail and our company’s apps—we use Android’s device policy controller to manage the work profile, keeping company data secure on these devices. Dealers use their own Android devices to access our apps and place orders.

Since our sales reps began using our SM@RT-D app, sales have increased, with 60 percent of all orders now placed digitally. Our sales team uses the app to get quick access to product information from a customer site, while managers use it to check when the rep last visited that customer and to see what other stops the rep has that day.

Going mobile with Android has been a key piece of our growth, as we’ve become one of the fastest-growing cement brands in India.

Sunil Tewari

Dalmia Bharat Group

We have more than 8,000 active users of our SUVIDHA app, which allows our customers to place orders anytime. Prior to this, they had to call into our sales team. We now see more than 1,000 orders placed each day with the app, which accounts for 35 percent of total sales.

With our third app, DriverSathi, we can track cement deliveries. Drivers get electronic proof of delivery, so we know exactly when each delivery was made, leading to on-time payment for our delivery drivers. Orders are filled 10 percent faster now because the process isn’t paper-based. Customers and dealers know when they will be receiving orders so they can manage their own sales pipelines.

This app also streamlines billing. Previously, invoices were often delayed by up to a month and a half because everything was done via hard copy, and it sometimes took weeks for drivers to hand in the paper invoices. Now the invoicing process starts as soon as the delivery is made because the app verifies exactly when delivery is completed, triggering the payment process.

Building custom apps on Android helped improve every part of our business, starting with the sales process, going all the way through delivery and invoicing. Going mobile with Android has been a key piece of our growth, as we’ve become one of the fastest-growing cement brands in India. Our Android applications enabled us to provide service to more customers in a quicker fashion because our employees have information they need when they need it most—on the road. And by giving the most efficient routing information, workers spend less time driving and more time talking with customers. With Android, it’s a win-win for everyone.

Scroll Up