Twilio’s New SMS Verification SDK Uses Google To Verify Phone Numbers

Twilio CEO Jeff Lawson waves an API flag outside the New York Stock Exchange ahead of his company's IPO. Photo credit: Twilio

Twilio has launched an SDK giving developers a new way to help their app users verify their identity. The cloud-based telecommunications company on Tuesday announced its Verification SDK which uses Google’s API to simplify SMS permissions when checking phone numbers. It’s only available for Android apps — Twilio shifted the blame to Apple, saying that the company currently doesn’t support apps programmatically accessing iMessage or SMS.

While Twilio has long offered developers a way to enable stronger authentication, thanks to its acquisition of Authy more than two years ago, the addition of the Verification SDK perhaps offers an alternative to those who may find comfort in using a tool that has an integration with Google.

“Application security is a constant balance between securing accounts and ensuring a convenient user experience. Attackers can exploit applications that verify accounts solely with an email address,” wrote Simon Thorpe, Twilio’s director of product in a blog post. “To combat this, developers are turning to utilizing phone numbers for initial sign-ups, instead of the traditional username/password combination.”

He went on to explain that in Android apps, Google allows developers to request permission to automatically read SMS messages to verify phone numbers and the user’s access associated with them. Once done, the permission will last for however long the application is installed on the device. However, this could potentially result in an increased risk of malware attacks that could ruin anyone’s day.

To overcome this, Google developed its SMS Retriever API that fixes the previous state of affairs. It grants permission to access the SMS message so phone numbers can be verified, but that’s it — nothing long-term. “It does this by allowing apps registered with Google Play Services to indicate what type of SMS they’re interested in. Google passes onto the application any SMS matching that description exactly, so a given application only has access to the SMS messages it needs for user verification,” Thorpe stated.

Google's SMS Retriever API flow. Photo credit: Twilio/Google
Google’s SMS Retriever API flow. Photo credit: Twilio/Google

Google gains from this service because this makes its authentication protocol and API more accessible to developers beyond the United States and other established countries. Developers and users in areas where the cost of SMS can be high can now make their apps safer with this offering, assuming they hadn’t done so before with other means.

Alternatively, this might be a good thing for Twilio, especially around the enterprise, an area where the company is actively working to court, and there may be some IT departments that have some trust in using Google products for verification. The launch of this Verification SDK also comes on the eve of its annual SIGNAL conference.

Photo credit: Twilio

Leave a Reply

Discover more from Ken Yeung

Subscribe now to keep reading and get access to the full archive.

Continue reading