The Most Common Issues You’ll Encounter When Trying to Implement SMS Verification In-House

SMS verification is really difficult to implement in-house -- don't do it yourself when you can use RingCaptcha!

These days, it is becoming very common to see new trendy apps implementing SMS verification in the app store arena.

Why is that? Simple, they understand that SMS verification is key to providing users with a better onboarding experience and building an app that grows in a healthy, sustainable way.

Developers use SMS for onboarding new users, often right from the landing page, and it’s also used to make sure that each of an app’s users are real people, and not fake.

But, after implementing this process ourselves with generic messaging gateways, we found the SMS verification process is incredibly clunky.

Carrier issues, fraudsters and even your users are getting in the way, and until now, the solutions offered were merely Band-Aids.

Even the Big Guys

What may surprise you is that even the big guys often can’t handle SMS authentication correctly. Like Telegram Messenger Tweeted, “The SMS gateways we use to send registration codes are overloaded and slow — 100 SMS transmissions per second is too much. Trying to find a solution.”

So what’s left for developers with limited resources focused on specific product features — could the onboarding process handle that level of growth overnight?

That’s the story of how RingCaptcha was born. Here are some of the issues and hardcore details of the SMS verification loop we faced while building RingCaptcha — that you should take into account before doing it yourself.

SMS Reception

Developers place a significant focus on scalability, and for good reason — if your app can’t handle new users, it’s game over. So, focusing on scalability is great, but you can’t forget that when it comes to new user onboarding, and specifically user verification, it’s all about the SMS.

SMS reception can be a tricky nut to crack, because typically it’s difficult to tell if the SMS was received at all. Let’s look at the primary issues that you will face if and when you implement SMS verification on your own.

SMS, in essence, is a delivery service that is not guaranteed by the carriers and they use this to excuse their lack of interest in fixing the multi-layer problem that is SMS reception.

You can’t trust the data you receive from the carriers -– sometimes SMS reception is confirmed by the carriers when the new user did not, in fact, get the SMS.

Looking at the device is the only real way to know if your SMS was received, and that’s just not feasible. With more than 1,000 carriers worldwide, no app developer can afford the resource drain that this method would entail.

User Errors and Carrier Blocking

While there are a variety of places and processes where SMS reception can break down, most of your problems will be due to user error and carrier blocking.

User error encompasses several of your most challenging issues with SMS reception. Device connectivity on the user’s end can cause a variety of issues –- is the phone in a good service area? Is it turned on? Is the phone in question an SMS-enabled phone?

And then there’s the user error that pertains to the actual typing in of the phone number. Is it in the correct format? Have they included the country code (or not included it), according to the carrier rules (that they probably don’t understand)?

Carrier Blocking is another conundrum, and the reason for blocking may even be difficult to pinpoint. Your message may be flagged as abusive — spam, violation of country or carrier standards or even because you are using a spoofed alphanumeric “BrandX” ID. If the SMS is sent internationally, it may be bulk blocked by the carrier.

Whatever system you design must take into account the unreliability of the carrier success messages, the individual country regulations, each carrier’s quirks and user error if you’re to end up with a solution that comprehensively solves 2-Step verification.

Scams and Fraud

After you’ve ironed out the intricacies of sending and confirming receipt of the SMS verifications, now let’s talk about the people who exist to ruin all your hard work – scammers and fraudsters.

For several reasons, it’s important to make sure each user is a real person. For one, you can’t build a thriving community when a significant portion of your community exists for nefarious purposes. But, of equal importance is that spammers cost you money -– so it’s vital to make sure that your users are real people.

As you probably know, fake user accounts set up in bulk are a frequent tactic of fraudsters. Some of RingCaptcha fellow devs have reported that a bunch of their fraudsters were using services like Free SMS Online or VoIP phone equivalents (such as Skype and Google Voice) to trick their verification systems. If you fail to tackle spammers and fraudsters, they can bombard you with registrations that cause your systems to send out multiple, spam-like SMSs. Throttling systems built early on can prevent this from happening, but that is often only obvious in hindsight.

Losing money due to spammers and fraudsters is more than frustrating; it can be the kiss of death for your app’s growth. For this reason, it’s vital that user verification works, from the outset.

Insights That Won’t Help You Grow

After you put the effort into solving SMS reception and gotten ahead of the spammers, insights is your final hurdle – and it’s another tricky one.  While your web analytics can give you a great number of important details, understanding SMS delivery is a whole different ballgame.

Each carrier can offer you some level of information, though much of it is based on their definition of delivery, which likely differs from yours.  There is some useful intelligence there if you’re willing to cull it. Even so, this information is siloed at the carrier level.

Unless you have the bandwidth to roll this data up into a meaningful dashboard, making sense of the data is difficult.But it’s important to spend some time thinking through this, admittedly, hefty project. Informed decisions are ones that are based on solid intelligence: latency insights, a detailed breakdown in conversion rates, app downloads and more.

Generic Messaging APIs, like Twilio are great, but messaging APIs like this focus on just one layer of abstraction above telcos. Thoughtful user onboarding and authentication has to take all of the above issues into account, including blocking fake users, tracking verification rates in real-time, and even understanding users enough to predict the phone number they meant.

If after reading this story, you realized you don’t want to waste your time on these issues and focus more on your product, start leveraging RingCaptcha with its two-step simple integration.  RingCaptcha makes SMS authentication easy.