Recently in one of our e-commerce projects we implemented phone verification for users to have authentic accounts at our website. The requirement was to have one account per user to avoid misuse of offers provided by our service on scenariosÂ like signup, high-valueÂ purchase,Â referring a new user to shop at our site plus other special offers.
So we decided to verify users using phone number verification that seemed more reliable than email verification since having multiple phone numbers is not as easy and rare as compared toÂ havingÂ multiple email accounts. We then chalked outÂ a simple approach that came out ineffective and needed a renovation.
Save a phone number corresponding to a user that he can verify later by the one time verification code sent to his phone. We then ensure that theÂ phoneÂ number is not verified against otherÂ account to have an account per user on verification request. Things seemed to go well but didnâ€™t serve the purpose as expected.
During our revisit to the approach we found out that a user still could create multiple accounts. If you missed it too, here is how it goes:
Suppose, a user say, Haitham signs up with account A1 and verifies his account with number, N1. Now once he needs another account to avail more offers he can simply edit his number to say, N2 and not verify it. Then he can create another account say A2, and verify this new account using N1. As in the applicationâ€™s use case of ‘referring a new user to shop at our site’, he could add himself as a referrer using account A1 for A2. Hence, the whole idea of fraud detection and prevention was deceived.
Donâ€™t associate a number with a user until the user verifies the number.
The simple change above solved our issue to all possible levels.
Lets confirm and verify for our friend Haitham.
So Haitham has created an account A1 and verified it with number N1. Following the same steps Haitham now tries to update the number to N2 whose verification he silently ignores.
Here, at our end we still have N1 associated with Haitham account A1 and we just store a request for an update with N2 and the code needed for its verification for account A1.
Now Haitham pretty confidently creates a new account A2 and tries to verify it with the number N1 that our system does not allow because number N1 is already linked with his verified account A1. So here his new account is not verified and hence he is restricted to only one account for his one valid number N1.
The only way Haitham can have 2 accounts for himself is when he would have two different numbers to verify his two accounts. Hence, a number per account.
You can try any way to create two verified accounts by a single number and you are assured to land in a fix.
It was a simple and easy implementation to ensure account verification at our site where we are trying to give away offers to new or special users which in turn was being misused by some smart users out there.
Hope this would come handy for your application for User Verification. Please do drop in suggestions.