17 Apr Securing Your Transactions with Restcomm – Part 2

In my last post, I described how to use Restcomm to enforce strong authentication with SMS by implementing a Two-Factor-Authentication (2FA) validation system, also known as One-Time-Password (OTP). Being able to implement something like this once you reach the point of CPaaS vendor selection as regulators are made to put an eye on it as part of the PSD2 package.

However, in this post I would like to go over another way to enforce strong authentication, using Voice instead. This method of Strong Authentication is often referred to as Flash Call Verification.

Using Flash Call Verification to Validate or Authenticate Your Mobile App

Flash Call Verification is a validation process which shares the same purpose as OTP, i.e. validate the user, access or action based on its personal phone number. The difference resides in the way the user interacts with the validation system. While using OTP requires the user to receive and validate a token, Flash Call tries to minimize user interaction by simply triggering a voice call to a phone number. That call is then detected by a mobile app that validates access by its origin and duration.

To exemplify how this process can be implemented, I have divided the architecture into the following components:

  • Web Front-End: simple HTML front-end to manage the input of a number to validate
  • Restcomm Voice API: Restcomm Voice API to trigger the call
  • Restcomm RCML: Restcomm Markup Language script (XML) with a simple Text-to-Speech (TTS) instruction just in case the user actually answers the call

Please note that for the sake of simplicity in this example, I am not handling the call at the termination side, i.e. no smartphone app to validate the inbound call is being used in this example. This example is mainly focused on how to use Restcomm to generate and manipulate the call characteristics.

All of these components can be found in my Github account with instructions on how to use them. Feel free to make comments or propose changes directly.

The Flash Call implementation can be then implemented in two fundamental steps:

1. Collecting The Number

Similar to the previous blog entry on the SMS 2FA/OTP, on the frontend, I’m presenting a very simple HTML page on the frontend with a form that collects the phone number below.

Opposite to the SMS 2FA/OTP implementation in this example, I’m placing the Restcomm Voice API directly as part of the HTML form:

  <form class="form-signin" method="POST"
    <input class="form-control" type="text" 
  required name="To" 
  placeholder="e.g. 1222333444">
    <input type="hidden" name="From" value="447418340465" />
    <input type="hidden" name="Url" 
  value="http://<path_to_rcml_file>/rc-flash-call.xml" />
    <input type="hidden" name="Timeout" value="10" />  
    <label class="checkbox"></label>
    <button class="btn btn-lg btn-primary btn-block" type="submit">Verify</button> 

In a nutshell, here I’m instructing hat I want Restcomm to call the number indicated in the form with 447418340465 as the origin number (a number I have registered in my Restcomm account) and to drop after 10 seconds if the user does not pick up the phone.

You will also notice that I am adding a URL to the RCML App. This causes a voice application to be triggered in case the user answers the incoming call within the 10 seconds of ringing. Keep in mind that in a real use case the mobile app would be digesting the incoming call and so this step may not be necessary.

The TTS instructions within the RCML app would have the following:

    <Say voice="woman" language="en-gb" >Your phone number has been confirmed.</Say>

2. Making The Call

After typing your phone number on the previous page, all you have to do is click on the Verify button. This triggers the API described previously and finally places the call.

Again, please keep in mind that all components were structured with the sole purpose of showing how you can use Restcomm Voice API as part of the Flash Call process and therefore are jumping over several security enforcement steps to simplify this example. It is not good practice to place your Restcomm credentials directly on the webpage, but instead, secure them behind some Javascript or PHP application.

In this post, it is assumed that you have a voice termination link associated with your Restcomm account. In Restcomm, you can have different SIP interconnection for each account or sub-account. This is called “Bring Your Own Carrier”.

You can learn how to do this HERE.

No Comments

Post A Comment