There has never been a better time to produce a social networking app. They currently boast a market reach of 95%, as the web becomes increasingly more mobile and communication becomes more remote.
Yet one of the biggest dilemmas for networking app developers is finding the right balance between a slick UX (user experience) and strong security. The most crucial stage to get this right is at registration, when a new user first signs up – and it’s here that the impossible trade-off is made.
Either security is too low, which risks admitting bad actors and fake accounts, or it is too high – with the potential for up to 30% of users failing to complete the process because of UX frustrations on mobile. Trying to choose a middle ground is suboptimal all round. Fortunately, there is now a solution that avoids that painful trade-off.
In this article we’ll explain why outdated login methods such as email address and social login don’t work well for the networking app persona. We’ll then outline what can be done to solve the problem by delivering a low-friction UX with strong security that avoids fake accounts from scammers and bots, helping you to convert every user.
Email is either personal or disposable
Using email + password has been the default for user ID since the web began, but it’s simply not optimal for mobile users. Not only does it cause unnecessary friction to type out both credentials on a small screen, but this method offers flawed security and can easily be used by fraudsters.
Most people have a main email address which contains their full name or other personal identifiers. New users who are unsure of your app’s level of security are often reluctant to use this personal email as their identity. On the other hand, it’s very easy to create a throwaway email address, and this is a major problem for app developers when it comes to verifying users.
Trust forms a vital aspect of user satisfaction in networking. Apps need to trust that users are who they claim to be, while users need to trust that the service works to keep out malicious actors. But when your authentication method only requires <bob@domain> to retrieve an OTP from their inbox, it’s all too easy for a fraudster to go on and create loads more accounts: bob1, bob2, bob3 and so on.
What’s worse, this also means that if <bob@domain> is banned from your platform, they only need to return as <casanova123@domain> or some other made-up address to continue with harassment or other unacceptable behaviour. There’s no real verification in either of these cases that <bob@domain> is one individual.
Social logins carry risk
Along with many of the same problems as email – easy to duplicate or fraudulently access – there are further privacy risks associated with ‘social logins’ (using a different social media account such as Facebook or Twitter to access an app).
Using a social login risks exposing more personal information than the user wishes to share in a different networking context, such as their surname, place of work, where they live, and who they know. The availability of such information all increases the risk of malicious actors being able to stalk and profile users. It’s the worst of both worlds, in fact: it raises a privacy concern for users, yet doesn’t add value for your app’s purposes as it’s not a strong proof of identity.
If all that wasn’t enough, social logins aren’t universal, as not every user will have the necessary social media account (or be willing to share it, especially in this context) – meaning you’ll still need an alternative login method.
So if email and social logins aren’t fit for purpose, what’s the best alternative? It might be simpler than you realise…
Phone numbers provide anonymity
Using a mobile phone number for identity solves the privacy problem, since it can function as a pseudonym. A phone number is a unique identifier, but doesn’t share any personal information – and in order to use it for verification, your app only needs to check it, rather than store or share it. Once you’ve verified a phone number, it can be linked to your own profile identifiers and never shared with any other users. Everyone has a phone number (unlike social logins), it’s faster to enter than email + password, and you don’t risk abandonment at registration.
Of course, using just the phone number alone doesn’t provide solid authentication: virtual numbers can be generated online, meaning a phone number doesn’t guarantee a unique device. There are also many pitfalls with SMS OTP, as SIM swapping fraudsters can hijack a legitimate user’s phone and receive messages intended for them. But the answer to that issue is surprisingly straightforward too...
A smoother login with stronger security – use the SIM
Checking the phone number against the SIM card in the device solves this issue, as a SIM card contains the same powerful cryptographic security as a credit card, which can’t be duplicated or faked. It’s simple: the user enters just their mobile phone number, and the app communicates instantly with the MNO (mobile network operator) to verify that this number is the one linked to that SIM.
This ensures that the user possesses a unique physical device, but takes just milliseconds, providing a frictionless experience without invasive data collection. It looks like magic to the user, but provides stronger security with no waiting period for users to abandon the process.
tru.ID’s range of products allow you to quickly and easily implement this solution – and mitigate SIM swap fraud by checking that the SIM hasn’t been changed.
Kick out scammers for good
Checking phone number + SIM provides strong authentication for new good users, but it can also help with existing bad ones. tru.ID’s APIs can clean out scammers and other banned individuals attempting to rejoin the app, as checking the SIM card will catch out users on the same mobile device attempting to register multiple times.
But don’t just take our word for it – experience how easy it is for yourself with our free PhoneCheck Quick Start guide.