This content originally appeared on Twilio Blog and was authored by Kelley Robinson
Silent Network Authentication (SNA) allows your business to seamlessly and securely verify users behind the scenes without any user input. This is an excellent solution for reducing friction while maintaining a strong level of security in your verification or authentication flows. Learn more about how SNA works behind the scenes here.
This blog post will dive into how to handle implementation details, manage edge cases, and scale the solution globally.
Prerequisites for building with SNA
Before you can start scaling, you need to do the following:
- Complete the carrier registration form to start the 2-4 week approval process.
- Create a Verification Service in the Twilio Console
- Start a new verification with SNA
After you complete those three steps, the rest of this document will help you manage situations outside the common happy path.
Force mobile data for SNA inside your mobile app
Because SNA relies on cellular network authentication, invoking the sna.url must be done on mobile data, not WiFi. The API will throw Error 60531 if you try to request the sna.url on WiFi. You can force this in your mobile app.
For iOS, use the iOS library* to force mobile data for the request. The library also provides custom errors, network validations, and multi-threading support. If necessary, you can also reference this Objective C function code on GitHub (here's an example of calling that code from Swift).
For Android use the Android library* or reference the following sample code using requestNetwork to force mobile data for the request:
// or use the SDK: https://github.com/twilio/twilio-verify-sna-android
@TargetApi(Build.VERSION_CODES.LOLLIPOP)
public static void doAPIonCellularNetwork(Context context, final String url) {
ConnectivityManager connectivityManager = (ConnectivityManager) context.getSystemService(CONNECTIVITY_SERVICE);
NetworkRequest request = new NetworkRequest.Builder()
.addTransportType(NetworkCapabilities.TRANSPORT_CELLULAR)
.addCapability(NetworkCapabilities.NET_CAPABILITY_INTERNET).build();
connectivityManager.requestNetwork(request, new ConnectivityManager.NetworkCallback() {
@Override
public void onAvailable(final Network network) {
OkHttpClient okHttpClient = new OkHttpClient.Builder().socketFactory(network.getSocketFactory()).build();
Request request = new Request.Builder()
.url(url)
.build();
try {
Response response = okHttpClient.newCall(request).execute();
Log.i("", "doAPIonCellularNetwork RESULT:\n" + response.body().string());
} catch (Exception ex) {
ex.printStackTrace();
}
}
});
}
*reach out to request access while the libraries are in Pilot. Open source Beta access expected in 2023.
Follow redirects
When you invoke the sna.url, the documentation tells you to follow all redirects. The reason for this is that each carrier has slightly different redirect handling, so we built our API to obfuscate the differences so you experience consistent behavior with one interface.
You can find the redirect URL in the location header of the sna.url invocation response.
In pseudo code this would look like:
while response status == 3xx:
get redirect URL from location header
then
visit redirect URL
Note that some carriers can have multiple redirects.
Use edge locations in certain regions
Regulators in EMEA require that all data remain within the region. Therefore, Twilio has separate API URLs for edge locations. As we expand to new regions, this list of data resident regions may grow.
Learn more about Twilio Regions in the documentation or contact us for regional implementation in India and Indonesia.
Handle dual SIM
Phones in certain countries like Brazil, India, and the Philippines often have multiple SIM card slots. There are two typical reasons why users take advantage of this. The solution for both scenarios is the same.
Scenario 1: Users rotate secondary data SIM
Users choose one mobile operator SIM for their voice calls. This phone number is associated with the user’s identity and is the number they give to friends and family. This SIM is in slot #1.
For slot #2, the user chooses the data plan with the lowest price. The user may change this data SIM often when there are new promotions. The user never knows the phone number associated with the phone number in slot #2.
The issue in this scenario is that Silent Network Auth uses the data network to authenticate the active phone number (possibly from slot #2), while the user has provided the phone number associated with their identity, which may be the phone number from the SIM in slot #1.
Scenario 2: Users rotate primary phone number SIM
Similarly to Option 1, some mobile operators offer promotions where calls to phone numbers on their network are free, so the user may maintain voice SIMs from multiple MNOs and give out the corresponding phone number to friends and family on the same network. The user knows all of the phone numbers associated with their SIMs.
The issue in this scenario is that the user could sign up with any one of their phone numbers and it is possible that it is not the one associated with the active data network.
Solution: for both scenarios, our solution is to get the service provider from the user-provided phone number and compare that against the service provider from the IP address of the data SIM. If the service providers do not match, then we confirm a dual SIM and send one of the following errors back to your application:
Deal with out of coverage and fallback to other channels
While some scenarios have fallback options to make SNA work, all have the option of falling back to other channels offered by the Verify API like WhatsApp or SMS.
These are the most likely situations where SNA may not work.
1. The user is on a desktop device
Because desktops do not use mobile data, either fallback to another channel or follow the instructions here to direct a user to a mobile device from the desktop via a QR code or by sending the user a link in an SMS.
2. The user is on Wi-Fi in a mobile browser
Ask the user to turn off Wi-Fi or fallback to another channel. You will likely see Error 60531 in this case.
3. The user's cellular network is not covered by SNA
Fallback to another channel.
SNA FAQ
What are the best practices for error handling?
Always check the error code on the API response at each step. SNA errors begin with 605xx and will describe recommended actions in the error code response.
Where does SNA work?
Twilio Verify SNA is live in 30 countries, including the US, Canada, UK, Germany, France, Spain, India, Indonesia and more. Reach out to learn more about our coverage.
How long does SNA take?
2-4 seconds.
The main source of latency for SNA is invoking the sna.url on the device. This step usually takes around 2-3 seconds but may take up to 4 seconds. This is where Twilio is making a request directly with the carrier to confirm the data session is live.
You may receive Error 60519 if you try to check the verification status before the carrier verification is complete.
The additional API requests to obtain the sna.url and check the verification each take less than 100ms.
How much data is sent with the sna.url invocation?
40 bytes.
What is the TTL of the sna.url?
15 seconds by default but this can be configured.
What triggers a billing event for SNA?
Verify SNA is currently in Pilot and not billed. When the product reaches Beta, you will be billed after you have invoked the sna.url and the verification is approved or you receive an error code of 60500 (SNA Phone Number Mismatch) or 60540 (SNA Carrier Identified Invalid Phone Number). Other errors will not be billed.
Does SNA work with spoofed phone numbers?
No. The request will fail with the service provider when they perform the underlying GSM authentication.
Other considerations for SNA
Silent Network Auth is a great frictionless authentication solution for your application. We also recommend adding fallback options to other channels
For further reading we recommend:
If your question wasn't answered by this document, please get in touch. We can't wait to see what you build!
This content originally appeared on Twilio Blog and was authored by Kelley Robinson
Kelley Robinson | Sciencx (2022-10-12T01:00:50+00:00) Best practices for implementing Silent Network Authentication in production. Retrieved from https://www.scien.cx/2022/10/12/best-practices-for-implementing-silent-network-authentication-in-production/
Please log in to upload a file.
There are no updates yet.
Click the Upload button above to add an update.