Start with the user entering the mobile phone verification code


Start with the user entering the mobile phone verification code

To verify the effectiveness or security of users is a necessary security measure for every system. In the era of mobile terminal priority, the use of mobile phone verification code to verify users is a means with high safety coefficient. At present, almost all Internet applications have opened mobile phone verification code login, and sensitive operations in the application need mobile phone verification code or fingerprint, even facial recognition to determine the current operator’s authority.

Apart from other terminals, as far as mobile app mode is concerned, if users frequently conduct sensitive operations and need to send verification codes frequently, in fact, it is not friendly in user experience, and SMS fees will also increase. In the form of app, verifying the effectiveness of a user can actually evolve into verifying the validity of the device, that is, whether the current person is trusted on the current device.

Start with the user entering the mobile phone verification code

The following discussion is only for non web (browser) environments. In fact, the web environment can generate a code similar to the device label based on the browser information

Many systems have considered the concept of security master device at the beginning of design, just like wechat. If you open it on the same mobile phone, you don’t need to log in every time. Equipment verification is an important part of every security system, which should be considered at the beginning of system design. Back to the point, for many industries, it is normal for users to frequently carry out some sensitive operations in the app. For example, in my online education industry, teachers often add students and teachers to a class (we think these operations are sensitive operations). If every time the teacher needs to send a verification code to operate, the interaction is really unfriendly. In order to ensure the security of business operations and improve the interaction, we need to abstract the root of the problem.

The ultimate purpose of sending captcha operation is to verify that the operator is the operator, which sounds very convoluted. In fact, there are many solutions to achieve this ultimate goal. Among them, the user trusted device belongs to one category, and the mobile phone verification code is a way to realize the user trusted device. Specifically, there are several points:

  1. If a user uses the mobile phone verification code to perform allergic operation on the device, he thinks that the device is trustworthy for a period of time.
  2. If the user carries out other sensitive operations on the trusted device, it can not send the verification code if it is within the validity period
  3. The user’s sensitive operations can also be classified. The highest sensitive level can only operate by inputting verification code (such as resetting password and login with verification code). Generally, the sensitive level can not input verification code within the validity period of trusted equipment.

Start with the user entering the mobile phone verification code

Based on the above, a user trusted device center can be abstracted during system design, including the definition of sensitive operations, the effective duration of trusted devices, and the definition of trusted devices (for example, the devices that pass the verification code can be defined as effective devices), etc. Through this design, SMS verification is only a way to verify the user’s trust equipment, which can be completely independent of the specific business (except for the operation with the highest sensitive level). The general sensitive operation service interface can also avoid adding verification code parameters, and truly separate the verification and service. Isn’t it beautiful?

After such abstraction, the user trusted device center has only a few interfaces in essence

  1. Verify that the device is valid
  2. Set device is valid
  3. Effective way of equipment (e.g. SMS verification code)

Of course, your system should first have the concept of equipment, if you have to write a few lines of code

  1. Verify that the device is valid
public async Task<int> CheckUserDevice(UserDeviceReq para)
  1. Set device is valid
public async Task<int> SetUserDevice(UserDeviceReq para)

More wonderful articles

  • Distributed large concurrency series
  • Architecture design series
  • Interest learning algorithm and data structure series
  • Design pattern series

Start with the user entering the mobile phone verification code