SMS verification in web application

Question

This is my first project related to SMS verification.

How to implement SMS verification in online ordering web application? For example:- when we try to reset the password in amazon's website, it sends an sms verification code and after entering the code it proceeds with changing the password. I want to implement the same function in my application, where users will place order, but before the final step it will send an sms verification code to the users mobile and verify the same.

The main requirement is SMS Gateway(Transactional Quality).

But as I'm completely new in this, so any idea how to proceed, or how can I implement it.

Answer 1

You don't need AJAX or anything other than using POST commands over a secure channel.

At a very high level these are the steps:

Step 1 - The signup page.

Utilize https for any signup pages that include sensitive information. Because the user will be sending their e-mail address and phone number this must be https.

1. Post the account information including the phone number in which the SMS should be sent to.
2. Create a random verification code
3. Store the verification code along with the new account sign up information
4. Send the SMS message with only the verification code

Then redirect the user to the verification page. This page only needs to accept the verification code. Remember that all you are doing is ensuring that the person that has access to the phone is also the same person with the account information. You can't stop someone from being malicious if they have someone else's phone. The phone is called "Something you have" in security terms.

Step 2 - The verification page

1. Post the verification code. This assumes you are using any one of the number technologies that tracks state through session ids.
2. Look up the account id in memory using the current session. This information should already be readily available. Then confirm that the verification code is the same one that is stored in the database. This isn't a password so I don't see a reason to hash this information. It's a one-user throw away code. It doesn't matter if someone else gets it later.
3. If the verification code matches mark the user as verified. Now you know that this account has access to a specific phone number.

I've included a rudimentary diagram for reference.

Answer 2

There are a number of cloud hosted SMS gateways, with a very simple api that you can implement your solution using. Twilio is the first that comes to mind, but there are others as well if you do a quick search for SMS Cloud API.

What's cool about twilio is that it also has a voice API with Text to Speech capabilities. So you can send an SMS or initiate a phone call with just a little change in code.