What are Botnets, and How Can Phone Verification Prevent Them?
Agile enterprises today need to guard against bulk account creation and spam, and botnets are often responsible for many instances of these two threats — in addition to other threats like DDoS. But what are botnets? A botnet is a network of PCs, servers, and devices that are infected and robotically controlled by malware, often without users’ knowledge.
Agile enterprises can step up their botnet prevention efforts by using a phone verification API. This helps mitigate bulk account creation, leading to the eradication of spam coming from their business domains. With phone verification, application developers are using what is arguably the best practice for ensuring that only real users create accounts.
Phone Verification: An Effective Defense
When it comes to the mobile user experience, phone verification is more effective than captchas or social logins for verifying that a live person is registering for an app account. Since most people have a mobile phone capable of receiving text messages with a one-time password, these can be easily read and entered into an application or account interface. In contrast, trying to read the distorted captcha image of a word and entering it into a relatively small data field can make even the most sharp-eyed individual squint and sometimes guess as to what the input should be. Captchas can also present accessibility challenges.
Conversely, using social logins to verify user identity can be easy — perhaps requiring only one click. But that ease of use comes at the expense of oversharing personally identifiable information, which could have consequences due to the General Data Protection Regulation (GDPR). In comparison, sharing a phone number can be a mostly anonymous process because it requires special access to a caller name database in order to confidently tie a person to a number.
Additionally, phone number verification is a virtually frictionless process. It requires the person to enter their mobile number to receive a one-time password via SMS. For users without a mobile phone, the one-time password can be sent to a legacy POTS line via an automated call. A computer-generated voice powered by text to speech reads the numerical code to the listener.
Once the user enters the code, the phone verification API confirms it is accurate before allowing account creation and application installation to proceed. If the code is incorrect, the user is asked to retry. If no retry occurs, the account creation and application installation processes can be canceled.
What are Botnets Doing That Puts Enterprises at Risk?
While botnets have been cited as an isolated threat to established and verified user accounts, they pose much more danger for new user accounts. For the agile enterprise, the risk is that botnets can exploit account creation fields by inputting random or generic usernames and passwords to create bulk accounts — which can end up hurting the enterprise’s reputation over time.
Even if these account creation fields are protected by captchas or social logins, given enough opportunities, brute force attacks can eventually succeed. On the other hand, account creation fields that are protected by phone verification are more effective because sending a one-time password to a mobile phone establishes a two-factor authentication (2FA) process.
With 2FA, a new account or app requires a user to verify their identity using two independent factors: their username or email address and their phone number. This works as well as it does because the IP and SMS channels exist in isolation, and it is virtually impossible to have both if the user is not in fact genuine.
Better Authentication for Agile Enterprises
In the long run, phone verification can aid agile enterprises. It has been shown to serve as an effective defense against botnets and their exploits for bulk account creation and spam. It also improves the user experience by making it easier to verify accounts and applications on mobile devices, especially compared to captchas and social logins.
Additionally, phone verification can serve in place of passwords on a general basis. By establishing a password-free authentication process, agile enterprises can further improve the user experience, enabling users to log in to applications without having to recall cumbersome passwords. Users can just tap the application on their phone, receive a one-time password via text, enter that code, and get immediate access to the app upon confirmation.
Removing this friction while still maintaining high security will encourage higher levels of application usage and positive word of mouth among the users’ friends and family. It also helps prevent botnets from exploiting the enterprise and risking its reputation. Phone verification is clearly a win-win for everyone — except for botnets.
