Twilio has launched an SDK giving developers a new way to help their app users verify their identity. The cloud-based telecommunications company on Tuesday announced its Verification SDK which uses Google’s API to simplify SMS permissions when checking phone numbers. It’s only available for Android apps — Twilio shifted the blame to Apple, saying that the company currently doesn’t support apps programmatically accessing iMessage or SMS.
While Twilio has long offered developers a way to enable stronger authentication, thanks to its acquisition of Authy more than two years ago, the addition of the Verification SDK perhaps offers an alternative to those who may find comfort in using a tool that has an integration with Google.
“Application security is a constant balance between securing accounts and ensuring a convenient user experience. Attackers can exploit applications that verify accounts solely with an email address,” wrote Simon Thorpe, Twilio’s director of product in a blog post. “To combat this, developers are turning to utilizing phone numbers for initial sign ups, instead of the traditional username/password combination.”
He went on to explain that in Android apps, Google allows developers to request permission to automatically read SMS messages to verify phone numbers and the user’s access associated with it. Once done, the permissioning will last for however long the application is installed on the device. But this could potentially result in an increased risk of malware attacks that could ruin anyone’s day.
To overcome this, Google developed its SMS Retriever API that fixes the previous state of affairs. It grants permission to access the SMS message so phone numbers can be verified, but that’s it — nothing long-term. “It does this by allowing apps registered with Google Play Services to indicate what type of SMS they’re interested in. Google passes onto the application any SMS matching that description exactly, so a given application only has access to the SMS messages it needs for user verification,” Thorpe stated.
Google gains from this service because this makes its authentication protocol and API more accessible to developers beyond the United States and other established countries. Developers and users in areas where the cost of SMS can be high can now make their apps safer with this offering, assuming they hadn’t done so before with other means.
Alternatively, this might be a good thing for Twilio especially around the enterprise, an area that the company is actively working to court, and there may be some IT departments that have some trust in using Google products for verification. The launch of this Verification SDK also comes on the eve of its annual SIGNAL conference.
Photo credit: Twilio