Congratulations! You’ve made the decision to protect your brand and your Web and mobile app account users from fraud through phone verification. This is a vital account security step that not only helps reduce fake users and registration fraud but also provides a method for preventing account takeover with two-factor authentication (2FA). But because this value isn’t always obvious to end-users, it’s important to make sure they fully understand you’re presenting phone verification as a security option…and one that benefits them the most.
To help ensure the best overall user experience—one that promotes general security awareness and can ultimately increase end-user adoption and conversion—we’ve compiled a list of the top 10 best practices to incorporate into your user interface (UI) when implementing phone verification at new account registration.
1. Explain Why Their Phone Number Is Required
We all like to know why we have to do something and it makes us feel better to know there is a good reason. You should clearly explain that their number is required in order to verify their identity and securely complete their registration. The terminology will depend on the use case, but one example is: “Please take a moment to verify your phone number. This helps us confirm your identity and secure your account.” You can do this within the registration experience or, depending on device (mobile or desktop), offer a “further information” link/pop up option (which could also include a Privacy Statement that describes more fully that SMS messages or voice calls may be directed to the number for verifications).
2. Let Them Choose How to Receive the Verification Code
Offer end-users the ability to choose how they would like to receive the verification code, either via SMS or voice. Reasons for this include:
- Personal communication preference
- Certain users do not have unlimited SMS message plans and are charged per SMS message received
- In certain countries, SMS may not be as reliable as voice due to older infrastructure, political unrest, etc.
- Certain demographics may prefer not to use SMS
3. Explain Next Steps
It’s best to describe what the end-user can expect at each step of verification. For example, on the screen where the end-user confirms sending the verification code, it is recommended that you add text such as “We will send you a one-time verification code.”
4. Do Not Use the Term “Pin Code”
When describing the one-time-passcode (OTP) step of the process, use “verification code” or “one-time verification code” (instead of PIN code) to emphasize the purpose.” Verification code” implies an OTP that is limited to the instance whereas “PIN” is often a recurring identification code such as for a bank ATM card.
5. Add Disclaimer Language
Include a statement like “message and data rates may apply” so the end-user is aware of all potential costs with phone verification.
6. Assist With Number Formatting.
When requesting their phone number, separate the country code from the phone number field. This reduces the chance of an end user entering an improperly formatted phone number (for example, entering the country code twice). We suggest displaying the country in one of two ways:
- Display the country name with the country code for the end-user to select from a drop down
- Auto-populate the country code based on the country name selected
(Note: TeleSign’s phone number cleansing system, which auto-corrects improperly formatted phone numbers, is applied to every transaction to ensure the highest deliverability possible. However, TeleSign still recommends the noted formatting to encourage the end-user to enter their phone number correctly.)
7. Offer Language Preference
Allow the end-user to choose which language they would like to receive the message in. An end-user’s country does not always correlate to a specific language as they could have a general non-native preference.
8. Offer Support
In response to a user improperly entering a number, using a number that is identified as risky, or providing a land line that cannot receive an SMS message when they selected SMS, first re-prompt to enter a “valid” number but also limit the number of times an end-user can request a verification code and/or offer manual support such as contact information for customer support or link to a “Help” page.
9. Offer a Backup Messaging Method
As a backup to the default option, also give the end-user the option to retry sending the verification code through another method (after a specified amount of time–like 45 seconds). For example, if you are only offering SMS, provide the end-user the option to resend the verification code by voice.
10. Once Verified, Complete Account Creation
Following the recommendations above should lead to an end-user successfully receiving and then correctly re-entering their verification code into your Web or mobile registration flow. Once confirmed, the end-user can then complete their account by entering their first and last name and then, mission accomplished! The user is in quick and painlessly and there is a verified unique identity associated with the account. Many online and mobile apps streamline the registration process and then collect additional information on the account over time, when it is most convenient for the user.
Many of the world’s largest online and mobile properties use phone verification to help prevent fraudulent activity and protect end-user accounts. See how they have implemented it by checking out the tutorials on Turnon2FA.com.