User Interface Best Practices
To help ensure the best overall client and user experience, here is a compiled list of the top best practices to incorporate in your user interface (UI). It is important to make sure your end user fully understands that you are presenting phone verification as a security option. This makes the user experience more seamless and promotes general security awareness which can ultimately increase your end user adoption and conversion. These are just recommendations and are not required to implement and deploy TeleSign services.
Best practices are discussed in the following sections:
- Always explain why phone verification is required and important. The terminology will depend on the use case, but one example is: “Account verification helps prevent account takeover or compromise and allows for a quick and safe account recovery."
- Add language to reinforce that the phone number and subsequent SMS message or voice call is being made for security purposes only and not for non-security related purposes. The language could be something such as, “Your phone number will not be used for any purpose other than phone verification, account recovery, or account security issues."
- Use the term “verification code” or “one-time verification code” (instead of PIN code) to emphasize the purpose. Verification code references a one-time numeric passcode that is limited to the instance whereas PIN is often a recurring identification code such as for a bank ATM card.
- Offer mobile phone users the ability to choose how they would like to receive the verification code either via Voice or SMS. Reasons for this include:
- Personal communication preference
- Certain users do not have SMS message plans and are charged per SMS message received.
- In certain countries, SMS may not be as reliable as Voice due to older infrastructure, political unrest, etc.
- Certain demographics may not prefer to use SMS messages.
- If the end user chooses the voice option for phone verification, add instructional messaging to advise them to make sure their voicemail is configured with a PIN security code/passcode for added security. Adding a PIN on voicemail will protect the message with the verification code further and add extra personal security in general.
- Add Disclaimer language such as “message and data rates may apply” so the end user is aware of all potential costs with phone verification.
- Separate the country code from the phone number field. This reduces the chance of an end user entering an improperly formatted phone number (for example, entering the country code twice). We suggest displaying the country in one of two ways:
- Display the country name with the country code for the end user to select from a drop down.
- Auto-populate the country code based on the country name selected.
TeleSign’s phone cleansing system, which auto-corrects improperly formatted phone numbers, is applied to every transaction to ensure the highest deliverability possible. However, TeleSign still recommends keeping the country code and phone number separate to encourage the end user to enter their phone number correctly.
TeleSign’s standard SMS template has been translated in over 54 languages and the voice template in over 84 localized languages. In addition, custom messages can be accommodated for customers with an Enterprise account.
- Clearly explain what the end user can expect at each step of verification. For example in the image displayed earlier, a note is included explaining to the end user what happens
- Present the end user the option to have the verification code resent in case they were not able to get to the phone in time or the verification code expired before the end user was able to enter it into the application. It is recommended that you display this as a link with the text “Didn’t receive the verification code?”
- As a backup to the default option, also give the end user the option to retry sending the verification code through another method. For example, if you offered SMS and it did not work, provide the end user the option to resend the verification code by voice.
- If using PhoneID, re-prompt end users that enter invalid, high risk, or inappropriate phone numbers for the verification method. An example of verbiage could be “please enter a valid number” when an end user’s phone number is invalid or “please enter a valid mobile number” when SMS is the verification method.
- Limit the number of times an end user can request a verification code and/or offer manual support such as contact information for customer support or link to a frequently asked questions page.
- Set an expiration time on verification codes to provide additional account protection. TeleSign recommends no more than five minutes, but expiration length varies by use case.
Require a phone number at registration for extra security and account takeover prevention.
When the end user enters their phone number, use PhoneID Score to identify the risk level of the phone number. Use the phone type for increased deliverability and cost savings for sending the verification code to the appropriate phone type.
When the end user registers a phone number to enable two-factor authentication, use PhoneID to identify phone attributes for fraud detection.
For use cases where a phone number is already tied to an account, do not display the end user’s entire phone number. It is recommended that you mask all but the last 4 digits of the phone number (for example, xxx-xxx-1234).
Do not allow an end user to edit their phone number. A fraudster can use this method to complete account takeover once a username and password have been fraudulently obtained.
Allow up to three attempts before locking the account out. If an end user is locked out, present an option to contact Support.
Ensure caching is configured so that an end user cannot opt out of two factor authentication (2FA).
Prompt end users to update their contact information every 30 to 90 days to ensure the most current contact information. This is suggested on an account to help prevent sending verification messages to old phone numbers. If the end user enters a new phone number use PhoneID Standard or PhoneID Score to gather information on the updated phone number to ensure its validity and type. Require the end user to re-verify their phone number upon a contact information update.
Use 2FA to challenge end users every so often (for example, every two months) to help prevent unauthorized use.
If you are tracking device and location user information, use 2FA to challenge end users who log in from different locations as changing location could indicate suspicious activity.