Building a modern user auth workflow

DevRel | 29 Jun 2023
7 minutes reading time

man looking at code on a screen with woman in the background

The joke goes that, on the internet, no one knows you’re a dog. But even if connected pets can be ruled out, verifying identity remains hard and vitally important. Thanks to compromised password databases, AI-driven bots, and ever more sophisticated phishing scams, it is more difficult than ever to be sure of someone's online identity.

There will always be doubt, it is the nature of the game. However, there are ways to reduce the uncertainty. This blog post will look at some of those techniques and how they can help you to build a more robust way of confirming user identity. First, let's go over some basics.

The stages of user identity verification

All user authentication requires a combination of something the user:

  • knows (such as a password), 
  • has (perhaps a mobile device) or
  • is (their fingerprint, for example).

Some applications ask for just one, while others want all three. Choosing the right method of user authentication becomes a story of just how confident you need to be about the user’s identity on one side and balancing engineering effort and user experience (UX) friction on the other.

There are six broad stages of user identification, each offering a different balance between convenience and certainty. Let’s take a look at them:

  1. Usernames and passwords: It goes without saying that just about every computer user is comfortable with usernames and passwords. No wonder, as they’ve been around since the early 1960s. They’re easy for everyone, including malicious actors.
  2. Two-factor authentication (2FA): Boosting the security of usernames and passwords, 2FA asks the user to provide another form of identification, usually in the form of something they have. Commonly that’s a code, also known as a One Time Password (OTP), sent to a mobile device by text message or generated in an app. End users are increasingly accustomed to 2FA, but it introduces some friction.
  3. Multi-factor authentication (MFA): Like 2FA, MFA aims to reduce reliance on just one type of auth. On top of a code sent by SMS, for example, MFA might ask the user to present a smart card or other form of cryptographic ID. The trade-off is that multi-factor authentication takes more time and effort from both the user and the developer.
  4. Biometric authentication: For most everyday applications, this is as sophisticated as user authentication gets. Using physical characteristics such as fingerprints, facial recognition, or voice recognition, biometric authentication is increasingly common with popular mobile manufacturers integrating it on their devices. It’s relatively low friction for the end user but requires specialist hardware. 
  5. Behavioural biometrics: Each person has their own way of typing, moving the mouse, and otherwise navigating software. One way of confirming a user’s identity is to capture that pattern and then compare it to how the current user behaves. This offers an additional layer of confidence but takes substantial engineering effort and data preparation.
  6. Continuous authentication: Verifying someone’s identity once is good enough for most applications. But there are times when there’s an incentive for someone to impersonate the user following the initial auth flow, such as during an online exam. Continuous authentication uses a combination of biometric and behavioural data to continuously monitor a user's activity and confirm their identity in real-time. The impact on the end user is relatively low but it does take much more engineering effort.

For most consumer and business applications, some form of 2FA has been enough up until recently. It reduces the likelihood that a compromised password or a stolen device could give the wrong person access to an account. But hackers are becoming both more determined and sophisticated. With MFA, a device that almost every user has, i.e. a mobile phone, can be used to deepen our confidence in who they are.

One time passwords that require manual intervention

Continuous authentication could be implemented for everything. But for most scenarios it’s overkill. What is needed is a way of determining user identity that is good enough for the current application.

In most cases, 2FA and MFA provide enough confidence with relatively little additional engineering effort, when compared with more advanced approaches. But there’s plenty of room for improvement in how those additional authentication factors are handled.

Sending OTPs by SMS, for example, is well understood by users and it’s relatively inexpensive, which makes it a good choice for many situations. However, they still have issues, such as:

  • Fetching and entering the SMS code interrupts the user’s flow.
  • Malware on devices could request and intercept codes, enabling malicious actors to hijack codes without the user's knowledge.
  • Social engineering attacks, such as an attacker convincing the user to give permission to swap their phone number to an account under criminal control.

That’s not the end of the story for MFA, though. Vodafone, as a mobile operator, already know the identity of each device that connects to their network. It turns out that that is one way for MFA to be both more reliable for developers and easier for end users.

Verifying a user’s identity

Every cellular device in use today has a SIM (Subscriber Identity Module) card at its heart. Whether that is an eSIM or the traditional physical version, the SIM is a separate computer in its own right. Importantly for user ID, the SIM is cryptographically secure meaning it is near impossible for such a card to have its identity spoofed.

Operators rely on this to link a person’s mobile device with their account. With its Number Verify API, Vodafone is making that ability available to software developers. Here’s how it works:

  1. A person launches a mobile app and starts registering a new account.
  2. They input their mobile number.
  3. The app calls the Number Verify API, providing the number entered by the new user.
  4. At the network level, Vodafone probes the device SIM to check wether it matches the provided phone number, essentially checking if the number used by the device to access the app is the same as the one provided by the new user.
  5. The Number Verify API returns a true or a false result.

Apart from providing their mobile number, the app user does not need to take any additional action for the process to take place. That makes it harder for social engineering attacks to work while reducing UX friction. And because it happens at the network level, relying on the cryptographic security of the SIM, it is out of reach from most bad actors, making it difficult to impersonate.

Though, if someone is using a friend's device, but their own mobile number, the flow above will return false. This could turn into bad UX, but Vodafone has more tools at the developer's disposal to help with that.

Building a user identity confidence score

Number Verify is just one of the pieces needed to build the full picture of a user's identity. If the result comes back as false, that’s not necessarily a reason to refuse access. Instead, most developers take it as a signal to ask the user for more information, often known as a step-up.

Instead of relying on a single aspect of a user's identity, MFA is about using different methods to gauge how confident you can be in whether that person is who they say they are. Vodafone can help in two ways:

  • Checking information that Vodafone holds on them as a subscriber (in a GDPR compliant way, naturally).
  • Using network information to get a better idea of who is in control of the user’s device.

two ticks and a cross above the UI screens
Vodafone's Number Verify, Match, and Number Recycle APIs can be used to help verify someone's Identity

If a developer is checking someone’s identity when they register into their app, Number Verify API tells them if the device's phone number matches the one entered by the user. But if you want to go deeper into the verification, Vodafone’s SIM Swap API can tell you when the number was last swapped or ported from another provider. Similarly, the Number Recycle API can tell you when that number was last recycled from one user to another.

Coloured bars to show levels of confidence

By themselves, neither of those tells you the full story but they help to build the puzzle. If the SIM was recently swapped, for example, you might ask further authentication questions.

Build your own user identity confidence score

Vodafone’s suite of identity APIs are now available to try for yourself. Sign up on the Vodafone Developer Marketplace to get started. You can also reach out to us with questions or suggestions and someone from the team will get back to you.

About Vodafone

Our purpose is to connect for a better future and our expertise and scale gives us a unique opportunity to drive positive change for society.