At its I/O this year, Google introduced their SMS Retriever API–a new way to automatically retrieve one-time passcode (OTP) SMS messages on supported Android devices without the need for specific user permissions. TeleSign now supports this in our App Verify Android SDK.
This new SMS-based verification mode, “AutoSMSVerificationUsingRetriever”, relies on Google Play services (10.2 and newer) to provide the SMS content (verification code) to the application. For production apps, an 11-character hash needs to be set in your TeleSign account.
Why Use This Mode? Better UX, Increased Security & Higher Conversion Rates
“64% OF BUSINESSES CHOOSE SMOOTH AND EASY REGISTRATIONS OVER SECURITY” – TeleSign’s Fraud Report
TeleSign customers who utilize this mode for Android-based phone verification can now provide a better user experience with less friction since end-users do not need to read and enter an OTP or provide RECEIVE_SMS permissions. At the beginning of the verification process, users enter their phone number and the combination of TeleSign’s App Verify SDK and Google’s SMS Retriever API takes care of the rest. It’s a complete automated phone verification process. One significant advantage of this verification mode with lower friction is that customers might be able to see increased conversion rates for user sign-up and registration scenarios.
Enhanced security is also a benefit as Google Play Services only provides access to the SMS message to the targeted application based on the application hash inside the message.
Moreover, AutoSMS verification using Retriever takes advantage of the same robust backend framework Telesign is known for to validate the request, detect fraud, intelligently route to the end-user’s mobile device and confirm verification status.
What Else Should I Know?
- In order to check if this verification mode using retriever is supported, our SDK contains the helper function PermissionUtil.hasSmsRetrieverRequirements(), which verifies if the device/application has the required Google Play services to support AutoSMS verification using retriever.
- Google Play services might not be available in certain regions and devices. If the required libraries check fails, you can still request permissions from the end-user to perform the legacy “AutoSMSVerificationUsingPermissions”.
- If you’re using a developer certificate for testing, the application hash value would need to be updated every time a different developer certificate for building the app is used
- Mobile devices can be vulnerable to malicious attacks and communication from the mobile device can possibly be compromised. To be confident about final verification results, it is important to perform GetStatus check using xid against Telesign’s servers.
- This verification mode is only available for Android, not iOS. For iOS phone verification, developers should use our App Verify iOS SDK
To get started today, sign up for a free account in our self-service portal.