Why do apps with phone verification send the user a message, rather than have the user send one to them?

George Green 09/17/2018. 6 answers, 5.121 views
mobile multi-factor

Many apps allow the user to authenticate with their phone number, by having the user enter it, and then sending an SMS with a code to be entered into the app. Very few (if any that I can find still active), simply present the SMS interface, and have the user send an SMS with a verification code to the server. I can think of a few reasons for this, but none that really seem to rule it out for me:

  • Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount
  • A user may want to sign in on a device that does not have SMS capabilities, but can have the SMS sent to their phone instead [iPod/Tablet etc.] (this could be mitigated by allowing the user to use both inbound or outbound for verification depending on the device capabilities)
  • Users are very familiar with the receiving interface from other big name apps, and so it may feel more secure
  • Does sending an SMS seem "dodgy" a bit like old-school scams that ask you to send a message to a number?
  • It is not compatible with a desktop web version of the product

None of these seems like a real reason not to do it, but for some reason the big names like WhatsApp, SnapChat, Facebook etc. all seem to avoid it. Can anyone think of any major reasons to not do this, or have any insights as to why it is not more common?

6 Answers

Mike Scott 09/17/2018.

It's quite easy to send an SMS message that appears to come from the phone number of your choice without actually controlling that number. And so sending an SMS from a number doesn't verify your ID in the same way as receiving an SMS to a number.

Rohan Kandwal 09/17/2018.

Since no one has mentioned, sending SMS (by customer) does cost money, atleast in developing countries. Besides the validation server can be in a different country. Personally, I won't want to send a costly SMS to US from Japan. Since server sends SMS through 3rd party SMS providers, they don't have to face that much cost per SMS.

user121968 09/18/2018.

The point of text-message verification is to confirm possession of your phone, not to have you make contact.

Two factor authentication usually requires something you know (a password) and something you have (a security key, dongle, or your cell phone etc.).

The idea is that even if a scammer in a remote area were to compromise your password, they would not be able to physically rob you of the phone.

It doesn’t actually matter who sends the message.

vidarlo 09/18/2018.

As the rest has been addressed, I will focus on one small point:

Sending an SMS could cost the user, and without having local numbers for every country, it could cost a significant amount

This is not how sending SMSes work. You typically do not have a number. You use a provider, such as clickatell.com. The give you a API, which you can use to send text messages. The actual cost typically depends upon the country, with developed countries generally being cheaper - but not upon how close they are to you.

You can typically choose your shown sender freely with such services, and this includes the familiar alphanumeric senders, such as Google. As you never expect a reply to 2FA messages, you don't really want a number.

Kolappan Nathan 09/18/2018.

Generally speaking sending SMS to the user makes it easier for the customer. And all businesses want to make things easier for their customers. Consider the following cases:

  1. Entering a 4 to 8 digit (mostly) code is easier than entering a text and recipient mobile number in SMS app and sending it.
  2. In places where dual sim are more prominent a user might / might not have an SMS pack on the mobile number registered with the service.
  3. Some mobile operators disable ISD calls and international SMS by default and activate them only on request. If the user is using that operator's service and you have an international service, then you might lose a customer.
  4. Many old people can read SMS easily but has difficulty sending them (my grandma does).
  5. As you mentioned in your question, sending SMS costs money.

Sayan 09/18/2018.

Adding to to Mike's answer, below could be another reason for not to send SMS from user to server.

By doing this you are opening the 'Inbound Interface' of your server and accepting connection from untrusted network. This may me rated high risk than sending SMS from server, where you open only the 'Outbound Interface'.

HighResolutionMusic.com - Download Hi-Res Songs


Birthday Party flac

AJR. 2019. Writer: Adam Met;Jack Met;Ryan Met;Peter Ivers;David Lynch.
2 Loote

Your Side Of The Bed flac

Loote. 2018. Writer: ​Jesse Saint John;Jackson Foote;Emma Lov Block.

100 Bad Days flac

AJR. 2019. Writer: Jack Met;Adam Met;Ryan Met.
4 Joe Jonas

Longer Than I Thought flac

Joe Jonas. 2018. Writer: Patrick Nissley;Jackson Foote;Dave Katz.
5 Loote

Out Of My Head flac

Loote. 2018. Writer: Emma Lov Block;Michael Pollack;Jeremy Dussolliet;Jackson Foote.
6 Iselin Solheim

Anyone Out There flac

Iselin Solheim. 2019. Writer: Iselin Solheim;Max Grahn.
7 Loote

Wish I Never Met You flac

Loote. 2018. Writer: Jackson Foote;Alex Peter Koste;Jeremy Dussolliet;Emma Lov Block.
8 Kim Petras

Heart To Break flac

Kim Petras. 2018. Writer: Cirkut;Aaron Joseph;Dr. Luke;Jacob Kasher;Kim Petras.
9 A L E X

Out On The Trampoline At Night flac

A L E X. 2018. Writer: A L E X.
10 A L E X

I Want To Hold Your Hand flac

A L E X. 2018. Writer: A L E X.
11 A L E X

Field flac

A L E X. 2018. Writer: A L E X.
12 A L E X

Save Me flac

A L E X. 2018. Writer: A L E X.
13 Devin

Summer Lover flac

Devin. 2019. Writer: Tommy Lee James;Stuart Crichton;Oliver Heldens;Nile Rodgers;Devin Guisande.
14 A L E X

9 To 5 flac

A L E X. 2018. Writer: A L E X.
15 A L E X

Skirt flac

A L E X. 2018. Writer: A L E X.
16 Florian Picasso

Midnight Sun (Extended Version) flac

Florian Picasso. 2019.
17 Florian Picasso

Midnight Sun flac

Florian Picasso. 2019.
18 21 Savage

Enzo flac

21 Savage. 2019. Writer: YungLunchBox;Sheck Wes;Offset;Gucci Mane;21 Savage;DJ Snake.
19 Tales Of Ratatösk

Battle Of The Doomed Gods 320kbps

Tales Of Ratatösk. 2019.
20 Tales Of Ratatösk

Andro 320kbps

Tales Of Ratatösk. 2019.

Related questions

Hot questions


Popular Tags