Why do apps with phone verification send the user a message, rather than have the user send one to them?
Why do apps with phone verification send the user a message, rather than have the user send one to them?
Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:
None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?
SMS verification is deprecated, anyway. Should be abandoned by apps. See also schneier.com/blog/archives/2016/08/nist_is_no_long.html
– usr-local-ΕΨΗΕΛΩΝ
Sep 17 '18 at 16:28
Some apps do, in fact, require that you send SMS messages. I actually had never seen this until my recent trip to the U.S., where several actions, including signing up for Curb (taxis in NYC) and getting tracking information from the USPS and UPS, sent me SMS messages from shortcodes and then required me to reply to them, which apparently isn't possible on my carrier (Lycamobile).
– Micha
Sep 17 '18 at 21:50
From germany I would have to pay 1,59€/ 1.86$ for one SMS to US (and nearly all other non EU countries), so it would often prevent me from registering for a service. (Especially if it is for testing purposes.)
– KIMB-technologies
Sep 17 '18 at 23:04
@usr-local-ΕΨΗΕΛΩΝ SMS is often used for attempting to limit spam as it's not very easy to gain a lot of phone numbers like it is for email addresses.
– Qwertie
Sep 18 '18 at 3:22
6 Answers
6
It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.
Another reason is usability. Sending an SMS to a new number is more of a hassle, and much more error prone, than receiving one and getting a short code from it. Users should also be rightfully wary of letting random apps send SMSes, so automating the SMS sending isn't that good an idea.
– hyde
Sep 17 '18 at 17:29
I'd also be concerned about that getting hijacked and causing me to subscribe/pay for a premium texting service unintentionally.
– Matthew FitzGerald-Chamberlain
Sep 17 '18 at 19:42
Sadly, it's not super hard to send a fake sms from arbitrary numbers on certain carriers :( Intercepting the user receiving a message at least requires you to be near the person physically to easily intercept.
– Mooing Duck
Sep 17 '18 at 20:52
Since no one has mentioned, sending SMS (by customer) does cost money, atleast in developing countries. Besides the validation server can be in a different country. Personally, I won't want to send a costly SMS to US from Japan. Since server sends SMS through 3rd party SMS providers, they don't have to face that much cost per SMS.
Further to that, it's usually impossible to tell in advance how much an SMS to a certain number would cost. "Premium" numbers can charge an almost-arbitrarily high amount for SMS sent to them on top of operator costs. Therefore, "send us an SMS" is rife for scams.
– Xan
Sep 18 '18 at 8:53
The point of text-message verification is to confirm possession of your phone, not to have you make contact.
Two factor authentication usually requires something you know (a password) and something you have (a security key, dongle, or your cell phone etc.).
The idea is that even if a scammer in a remote area were to compromise your password, they would not be able to physically rob you of the phone.
It doesn’t actually matter who sends the message.
As the rest has been addressed, I will focus on one small point:
Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount
This is not how sending SMSes work. You typically do not have a number. You use a provider, such as clickatell.com. The give you a API, which you can use to send text messages. The actual cost typically depends upon the country, with developed countries generally being cheaper - but not upon how close they are to you.
You can typically choose your shown sender freely with such services, and this includes the familiar alphanumeric senders, such as Google. As you never expect a reply to 2FA messages, you don't really want a number.
Ah this is actually the other way around to what I was thinking of. If we wanted the user to send the SMS to us, we would need a number to receive it, and if it is not a local number for the user, it will likely be expensive.
– George Green
Sep 18 '18 at 12:49
Generally speaking sending SMS to the user makes it easier for the customer. And all businesses want to make things easier for their customers. Consider the following cases:
Adding to to Mike's answer, below could be another reason for not to send SMS from user to server.
By doing this you are opening the 'Inbound Interface' of your server and accepting connection from untrusted network. This may me rated high risk than sending SMS from server, where you open only the 'Outbound Interface'.
Thanks for contributing an answer to Information Security Stack Exchange!
But avoid …
To learn more, see our tips on writing great answers.
Required, but never shown
Required, but never shown
By clicking "Post Your Answer", you agree to our terms of service, privacy policy and cookie policy
Isn't the point usually to verify that the person accessing the account actually possesses the phone number associated with their account? If so, a user sending a message is less secure since the source number is trivially spoofable in many cases
– multithr3at3d
Sep 17 '18 at 14:56