/ Software Development

How to Verify Phone Number & Email with Facebook Account Kit [for Android]

Alvi Ataur Khalil

Alvi Ataur Khalil

Read more posts by this author.

Read More
How to Verify Phone Number & Email with Facebook Account Kit [for Android]

With the rising rate of spammers and scammers nowadays, it has become a fundamental necessity for all the user based websites and applications to identify each user’s authenticity. This blog contains all the things you need to know about mobile number verification as well as email address verification to authenticate a user and the way of implementing those in an android application using facebook kit.

What is Mobile Number Verification ?

Mobile number verification is the process of verifying that a phone number is valid, reachable and accessible by the user. It is additionally a mainstream measure that can be applied to any service or application looking to achieve an extra layer of security.

Mobile number verification is often used as a form of two-factor authentication for certain online accounts. By using SMS, only the owner of that particular mobile number gains access to a PIN code, sent in real time, allowing them to log into the application with their password and verify their identity with the correct PIN number. Since phone numbers are universally available and no further hardware is needed, phone number verification makes for a globally accessible and relatively inexpensive solution to ensure security.

The importance of mobile number verification shouldn’t be understated. By using this technique of security, spam attacks by bots, fraud and account takeovers can be prevented. Aside from security, mobile number verification can also identify unreachable users due to stale or incorrect information meaning your database consistently has up-to-date contact information.

The problem with mobile number verification is that it can be a tedious process if done manually. First of all, merely checking that a mobile number is valid would entail getting in touch with the carrier to see if the number is genuine rather than fake. However, ensuring that the mobile number is reachable and accessible by the user simply entails pinging the number and the user inputs a response that they’ve received the message.

Why use Mobile Number Verification ?

Companies are observing an increase in security breaches due to spammers and scammers. These breaches can result in a poor client experience and may lead to a decrease in client retention, or worse, they could negatively affect your brand and result in legal and financial repercussions. To decrease the potential for compromised security, a great solution is consistently using mobile verification for verifying mobile numbers at every stage of the customer lifecycle, including account creation, transaction authentication, and ongoing customer engagement activities. With billions of phone numbers registered worldwide, the phone number is the ultimate way to verify user identity.

Here are six user management best practices where mobile phone verification can increase security and boost customer acquisition and retention:

1. Authenticate registration : When a new person signs up for your application, mobile verification can help authenticate identity, ensuring your new user is who they claim to be. For example, a new person who downloads an app and registers a new account will receive a PIN code via a messaging service such as SMS, MMS, WhatsApp, Facebook Messenger or via a voice message to be entered in the app on their device to complete the user registration process. This step bond a user and their device.

2. Authorize upgrades : Many applications engage a freemium model, meaning the basic app is free to use but a premium version can be accessed via a paid upgrade. Given a message with a PIN to verify mobile users and their intent to upgrade can help reduce mistaken downloads and curb fraudulent downloads.

3. Reset passwords : When a user signs in to an app from an unknown or alternative device (i.e. with an IP address that is different from the one registered in their profile) and requests a password reset, sending a code to verify the user’s identity can help reduce fraud and identity theft. For example, Gmail uses this technique to verify your identity via your mobile phone number whenever a login attempt originates from an unknown device.

4. Reactivation of users : When a user of an application or website tries to sign in after a long period of inactivity, a phone verification process can help ensure once again that the user is genuine and not a hacker or spammer.

5. Refresh user details : Updates in user profile information should always be confirmed with a simple message to the mobile device linked to an account. This step will verify the update. Ensuring that updates have been initiated by the account owner is not only essential for security but also for accurate information transmission to users. For example, an airline can share important flight updates with customers only if they have current contact information.

6. Authenticate transaction : Confirmation of transactions with real time communications significantly reduces costly fraud resolution. Involving authentication of clients at this demanding moment via phone verification is so efficient at decreasing apprehensive activity that many payment and e-commerce apps and sites now use authentication of transactions with a one-time password (OTP) sent through message.

What is Email Address Verification ?

Email verification is a very popular method that has been utilized by almost every person who has an email account. In this method, a mail is sent to the user’s email address when a particular comment is held for moderation. This particular mail contains a unique link that will help in the email verification of the user. Once the user clicks on the link the particular comment automatically gets approved. This entire method is called email verification and verification to this degree helps in the improvement of security of an email account.

This approach of communication, in spite of being online, is an important approach for a business as well as for personal home use. Though there are various approaches and methods for sending these messages through online means - email is definitely the most adopted one. This is an economical method of sending messages and communicating with the rest of the world. In addition to being economical, it is also very fast and near instant.

There are various reasons, which restricts an email from reaching its proper receiver. The presumed reasons can be the individual might have changed or the company to whom the email belongs may have closed or the other reason can be the server is not able to provide sufficient service.

There are many verification tools that are free online which can help in email verification. The main function of these tools is to verify the email addresses. There are numerous websites, which aims in providing this service. The entire website is responsible in email verification. The amazing fact is that the service is free of cost. All that the service asks is to put in the data and then the website will be soliciting the response from a respective server for determining whether what a given electronic mail address is.

Though there are many sites but only few are genuine. The most popular one is VerifyEmailAddress.org. After delivering the email details this site will start to try to access mail servers in order to determine the existence. This site specializes in delivering detailed information for verifying an email address. This in turn will help the user to get detailed information on that particular account.

Email verification is very much crucial especially in case of transaction involving money. Online banking is becoming more and more popular day by day. Instead of standing in a long line at the bank, customers prefer to do the transaction on the Internet. It is very important for the bank to get an email verification done before giving access to a user and the opportunity to start transactions.

Why use Email Address Verification ?

Most android apps prefer to have a relationship with a person. Exceptions would be sites which are designed with anonymity in mind and are almost purely online communities. Some of the reasons behind verifying email address :

  1. A verified email means verified person behind the email. Prevents some simple bots

  2. A verified email can diminish a person's frustration if the email was typed in wrong. If a user registered some music service, made a bunch of playlists and then logged out and forgot the password... it would be helpful if they could reset their password properly.

  3. A verified email has a higher value for marketing purposes. You have proved that the email is not fake and a dead end. You can analyze the client's habits and target them specifically based on their browsing habits.

  4. A verified email allows you to inform a person about security breaches or other important site issues, site announcements.

  5. A verified email prevents abuse. I regularly receive spam and information from sites I never signed up for because there are several people with my name who either sign up for services and mistype their email address or they're signing up for some adult website that doesn't require a verification (for obvious reasons). If these websites verified emails, I would get an email asking for verification and promptly ignore it.

Facebook Account Kit

Facebook account Kit helps users quickly and easily register and log into your app using their phone number or email address as passwordless credentials. Account Kit is powered by Facebook's email, SMS and WhatsApp sending infrastructure for reliable scalable performance with global reach. Because it requires email and phone number to authenticate, Account Kit does not require a Facebook account and is the ideal alternative to a social login.

Account Kit is constructed for the mobile world, providing long-lived sessions, easy account management, and no passwords to remember. When a person tries to login with their email address, Account Kit sends a one-time link to the person's email address. The SDK can detect when an email address is verified. When a person tries to login with their phone number, the user can select either SMS or WhatsApp and Account Kit sends a confirmation code to that number for validation, or verifies the number directly.

The login flows for Account Kit incorporate account registration and account login. There is no need to check if an account exists already or to create a separate flow to register new users. After successfully logging in or registering , Account Kit provides your app with authentication credentials for the person logging in.

The Android SDK provides an activity, and all you need to do to initiate a login is start the activity. The activity is provided with a result that indicates a successful login or failed login.

Account Kit facilitates SMS-based and WhatsApp authentication for hundreds of country codes. For a collection of the country codes that Account Kit supports for SMS-based authentication, see Supported SMS Country Codes. There is no charge for SMS messaging through August 2018. After that, applications which exceed 100,000 SMS messages per month may be charged at standard SMS rates. For more information see "Is there a charge for using SMS with Account Kit" in the FAQ. If you don't want to offer SMS as an option, you can toggle if off. For Android and iOS development, you can do this during the SDK setup, and for websites, you can toggle SMS off in the app dashboard.

How Account Kit Works

Account Kit generates a database just for your app. You can access the data stored in that database at any time through a REST API. As clients log into your app, this database is populated with a list of phone numbers or email addresses and Account IDs that can be used within your app. These Account IDs are unique to your app. If you also use Facebook Login as OAuth for your app, you can be sure that there will never be a conflict with Facebook's app-scoped IDs.

Account Kit facilitates two login flows, depending on whether people choose phone number verification or email verification.

Implementation

Let’s dive into the implementation of facebook kit for android :

  1. First go to this link: https://developers.facebook.com/apps/ and add a new app. Make sure you are logged into your Facebook account in the browser when going to this link. Otherwise, it will prompt a message to log in.

  2. After creating the app with your desired name, you have to select “Account Kit” from “Add a Product” options.

  3. Then go to Settings and then select Basic. There you have to provide “App Icon” ( with given size guideline ), “Privacy Policy URL”, “Terms of Service URL” and select a “Category”.

  4. From the left menu bar, you have to select “Quick Start” under “Account Kit” from “Products” Option.

  5. In your project, open your_app | Gradle Scripts | build.gradle (Module: app) and add the following compile statement to the dependencies{} section to compile the latest version of the SDK:

Implementation 'com.facebook.android:facebook-android-sdk:5.+'
  1. Edit Your Resources and Manifest file following “Step 3”.

  2. Generate your Development and Release Key Hashes following the technique provided in “Step 4” and add them.

  3. If your app will receive the user's access token directly (i.e., the Enable Client Access Token Flow switch in your app's dashboard is ON ) then you should check for a valid, existing token:

import com.facebook.accountkit.AccountKit;
import com.facebook.accountkit.AccessToken;

AccessToken accessToken = AccountKit.getCurrentAccessToken();

if (accessToken != null) {
  //Handle Returning User
} else {
  //Handle new or logged out user
}

If your app will receive an authorization code that it will pass to the server (i.e. the Enable Client Access Token Flow switch in your app's dashboard is OFF ), it is up to you to have your server communicate the correct login status to your client application.

  1. Initiate a Login Flow for SMS:
import com.facebook.accountkit.AccountKit;
import com.facebook.accountkit.ui.AccountKitActivity;
import com.facebook.accountkit.ui.AccountKitConfiguration;
import com.facebook.accountkit.ui.LoginType;

public static int APP_REQUEST_CODE = 99;

public void phoneLogin(final View view) {
  final Intent intent = new Intent(getActivity(), AccountKitActivity.class);
  AccountKitConfiguration.AccountKitConfigurationBuilder configurationBuilder =
    new AccountKitConfiguration.AccountKitConfigurationBuilder(
      LoginType.PHONE,
      AccountKitActivity.ResponseType.CODE); // or .ResponseType.TOKEN
  // ... perform additional configuration ...
  intent.putExtra(
    AccountKitActivity.ACCOUNT_KIT_ACTIVITY_CONFIGURATION,
    configurationBuilder.build());
  startActivityForResult(intent, APP_REQUEST_CODE);
}

The APP_REQUEST_CODE is your custom code to track your login flow. It can be any integer, but it needs to be set by your application. When initializing your intent extras, be sure to specify the AccountKitActivity.ResponseType that matches your application's authorization setting in the Facebook developer portal dashboard: TOKEN if the Enable Client Access Token Flow switch in your app's dashboard is ON, and CODE if it is OFF. If people are logged into their Facebook account on their Android devices, and have a verified phone number, Account Kit verifies them without requiring them to enter the SMS code.

  1. Initiate a Login Flow for Email :
import com.facebook.accountkit.AccountKit;
import com.facebook.accountkit.ui.AccountKitActivity;
import com.facebook.accountkit.ui.AccountKitConfiguration;
import com.facebook.accountkit.ui.LoginType;

public static int APP_REQUEST_CODE = 99;

public void emailLogin(final View view) {
  final Intent intent = new Intent(getActivity(), AccountKitActivity.class);
  AccountKitConfiguration.AccountKitConfigurationBuilder configurationBuilder =
    new AccountKitConfiguration.AccountKitConfigurationBuilder(
      LoginType.EMAIL,
      AccountKitActivity.ResponseType.CODE); // or .ResponseType.TOKEN
  // ... perform additional configuration ...
  intent.putExtra(
    AccountKitActivity.ACCOUNT_KIT_ACTIVITY_CONFIGURATION,
    configurationBuilder.build());
  startActivityForResult(intent, APP_REQUEST_CODE);
}

Additionally, You have to edit your Resources and Manifest file following “Step 7”.

  1. Capture the Account Kit activity's result and extract the AccountKitLoginResult from the Intent argument to determine the status of the login attempt.
import com.facebook.accountkit.AccountKitLoginResult;

    @Override
    protected void onActivityResult(
            final int requestCode,
            final int resultCode,
            final Intent data) {
        super.onActivityResult(requestCode, resultCode, data);
        if (requestCode == APP_REQUEST_CODE) { // confirm that this response matches your request
            AccountKitLoginResult loginResult = data.getParcelableExtra(AccountKitLoginResult.RESULT_KEY);
            String toastMessage;
            if (loginResult.getError() != null) {
                toastMessage = loginResult.getError().getErrorType().getMessage();
                showErrorActivity(loginResult.getError());
            } else if (loginResult.wasCancelled()) {
                toastMessage = "Login Cancelled";
            } else {
                if (loginResult.getAccessToken() != null) {
                    toastMessage = "Success:" + loginResult.getAccessToken().getAccountId();
                } else {
                    toastMessage = String.format(
                            "Success:%s...",
                            loginResult.getAuthorizationCode().substring(0,10));
                }

                // If you have an authorization code, retrieve it from
                // loginResult.getAuthorizationCode()
                // and pass it to your server and exchange it for an access token.

                // Success! Start your next activity...
                goToMyLoggedInActivity();
            }

            // Surface the result to your user in an appropriate way.
            Toast.makeText(
                    this,
                    toastMessage,
                    Toast.LENGTH_LONG)
                    .show();
        }
    }
  1. If you began the login session with AccountKitActivity.ResponseType.TOKEN, a logout option is available to remove the stored AccessToken from the device.
import com.facebook.accountkit.AccountKit;

AccountKit.logOut();
  1. If your began the login session with AccountKitActivity.ResponseType.TOKEN, it's possible to access the Account Kit ID, phone number and email of the current account via a call to getCurrentAccount().
import com.facebook.accountkit.AccountKit;
import com.facebook.accountkit.Account;
import com.facebook.accountkit.PhoneNumber;
import com.facebook.accountkit.AccountKitCallback;
import com.facebook.accountkit.AccountKitError;

AccountKit.getCurrentAccount(new AccountKitCallback<Account>() {
  @Override
  public void onSuccess(final Account account) {
    // Get Account Kit ID
    String accountKitId = account.getId();

    // Get phone number
    PhoneNumber phoneNumber = account.getPhoneNumber();
    if (phoneNumber != null) {
      String phoneNumberString = phoneNumber.toString();
    }

    // Get email
    String email = account.getEmail();
  }
  
  @Override
  public void onError(final AccountKitError error) {
    // Handle Error
  }
});

  1. In the top right corner, you can see the app is in “Development” status. Turn on the toggle button and click the confirm button to make the app “Live”.

So, by following the steps sequentially, you can integrate Facebook Kit in your own app to authenticate users through verifying their mobile number or email address to eliminate scamming or spamming.