Credits: Unsplash

March 24, 2021

How to maximise onboarding for your social networking app (without losing security)

Parth Awasthi
Head of Product

There has never been a better time to produce a social networking app. They currently boast a market reach of 95%, as the web becomes increasingly more mobile and communication becomes more remote. 

Yet one of the biggest dilemmas for networking app developers is finding the right balance between a slick UX (user experience) and strong security. The most crucial stage to get this right is at registration, when a new user first signs up – and it’s here that the impossible trade-off is made. 

Either security is too low, which risks admitting bad actors and fake accounts, or it is too high – with the potential for up to 30% of users failing to complete the process because of UX frustrations on mobile. Trying to choose a middle ground is suboptimal all round.  Fortunately, there is now a solution that avoids that painful trade-off.

In this article we’ll explain why outdated login methods such as email address and social login don’t work well for the networking app persona. We’ll then outline what can be done to solve the problem by delivering a low-friction UX with strong security that avoids fake accounts from scammers and bots, helping you to convert every user. 

Why isn’t your current verification working? 

Email is either personal or disposable
Using email + password has been the default for user ID since the web began, but it’s simply not optimal for mobile users. Not only does it cause unnecessary friction to type out both credentials on a small screen, but this method offers flawed security and can easily be used by fraudsters. 

Most people have a main email address which contains their full name or other personal identifiers. New users who are unsure of your app’s level of security are often reluctant to use this personal email as their identity. On the other hand, it’s very easy to create a throwaway email address, and this is a major problem for app developers when it comes to verifying users. 

Trust forms a vital aspect of user satisfaction in networking. Apps need to trust that users are who they claim to be, while users need to trust that the service works to keep out malicious actors. But when your authentication method only requires <bob@domain> to retrieve an OTP from their inbox, it’s all too easy for a fraudster to go on and create loads more accounts: bob1, bob2, bob3 and so on. 

What’s worse, this also means that if <bob@domain> is banned from your platform, they only need to return as <casanova123@domain> or some other made-up address to continue with harassment or other unacceptable behaviour. There’s no real verification in either of these cases that <bob@domain> is one individual. 

Social logins carry risk
Along with many of the same problems as email – easy to duplicate or fraudulently access – there are further privacy risks associated with ‘social logins’ (using a different social media account such as Facebook or Twitter to access an app). 

Using a social login risks exposing more personal information than the user wishes to share in a different networking context, such as their surname, place of work, where they live, and who they know. The availability of such information all increases the risk of malicious actors being able to stalk and profile users. It’s the worst of both worlds, in fact: it raises a privacy concern for users, yet doesn’t add value for your app’s purposes as it’s not a strong proof of identity. 

If all that wasn’t enough, social logins aren’t universal, as not every user will have the necessary social media account (or be willing to share it, especially in this context) – meaning you’ll still need an alternative login method. 

So if email and social logins aren’t fit for purpose, what’s the best alternative? It might be simpler than you realise…

mobile-first authentication
Credits: Unsplash

Mobile apps should be mobile-first

Phone numbers provide anonymity
Using a mobile phone number for identity solves the privacy problem, since it can function as a pseudonym. A phone number is a unique identifier, but doesn’t share any personal information – and in order to use it for verification, your app only needs to check it, rather than store or share it. Once you’ve verified a phone number, it can be linked to your own profile identifiers and never shared with any other users. Everyone has a phone number (unlike social logins), it’s faster to enter than email + password, and you don’t risk abandonment at registration.

Of course, using just the phone number alone doesn’t provide solid authentication: virtual numbers can be generated online, meaning a phone number doesn’t guarantee a unique device. There are also many pitfalls with SMS OTP, as SIM swapping fraudsters can hijack a legitimate user’s phone and receive messages intended for them. But the answer to that issue is surprisingly straightforward too...

A smoother login with stronger security – use the SIM
Checking the phone number against the SIM card in the device solves this issue, as a SIM card contains the same powerful cryptographic security as a credit card, which can’t be duplicated or faked. It’s simple: the user enters just their mobile phone number, and the app communicates instantly with the MNO (mobile network operator) to verify that this number is the one linked to that SIM. 

This ensures that the user possesses a unique physical device, but takes just milliseconds, providing a frictionless experience without invasive data collection. It looks like magic to the user, but provides stronger security with no waiting period for users to abandon the process.

tru.ID’s range of products allow you to quickly and easily implement this solution – and mitigate SIM swap fraud by checking that the SIM hasn’t been changed. 

Kick out scammers for good
Checking phone number + SIM provides strong authentication for new good users, but it can also help with existing bad ones. tru.ID’s APIs can clean out scammers and other banned individuals attempting to rejoin the app, as checking the SIM card will catch out users on the same mobile device attempting to register multiple times.

But don’t just take our word for it – experience how easy it is for yourself with our free PhoneCheck Quick Start guide.

tru.ID: Mobile Authentication, Reimagined

Instant PhoneCheck provides instant authentication of the mobile number of the connected mobile device, greatly improving the user experience and reducing drop-off rates.

Strong SubscriberCheck provides real-time verification of the mobile number and SIM card identity, providing a high-security, low-friction mobile authentication solution that also eliminates the risk of SIM Swap fraud. Or, if you really, really want to stick with SMS OTP, and so need an easy add-on security solution, we offer:

Active SIMCheck, which allows you to check that there has not been a SIM swap before you send the SMS OTP to the user. (Of course, there are still all the other risks related to SMS OTP, but this is a big improvement and a short-term fix while you plan the full solution.)

Try us, follow us, join us

  • To see our products in action, schedule a demo now or sign up to start testing and integrating our APIs 
  • Follow us on LinkedIn and Twitter
  • Want to join the team? We’d love to hear from you.