Designing Secure and User‑Friendly SMS Verification Systems

Story

While trying to claim a free 14‑day membership for a reading app, the author encountered a "network error" when submitting the phone number on a PC browser. Opening the developer tools revealed a cross‑origin error, which disappeared when the same page was accessed on a mobile device, indicating the service was designed primarily for mobile and blocked PC requests.

After waiting for the SMS cooldown, the mobile verification succeeded, confirming that the backend limits the number of verification codes sent per phone number within a fixed time window for security and cost reasons.

SMS Verification Design Summary

SMS verification is now a ubiquitous feature in many products, from registration to banking and marketing. Most companies rely on paid third‑party SMS services, which makes abuse costly and leads to the emergence of "SMS bombing" tools that mass‑send messages.

SMS bombing tools automate bulk phone number submissions and IP spoofing to flood services with verification requests.

To mitigate abuse, products must define clear restriction rules and design both front‑end and back‑end controls collaboratively.

1. Time Limit

After a request, the client shows a countdown (commonly 60 seconds) during which the user cannot request another code.

The exact interval should consider product characteristics, network latency, and SMS cost.

2. Captcha + Time Limit

Require users to solve a graphical captcha before sending the SMS request. The captcha can be optional initially and enforced after a certain usage threshold.

If the front‑end countdown is 60 seconds, the back‑end code validity should be longer (e.g., 5–10 minutes) to prevent bypass.

3. Phone‑Number Rate Limit

The same phone number may receive at most X messages within a defined period (e.g., 3 messages per hour).

This limits manual abuse but does not stop distributed attacks using many numbers.

4. IP and Cookie Limits

Restrict the number of requests from the same IP or Cookie within a time window.

While IPs can be spoofed and cookies cleared, this adds another layer of protection.

5. SMS Alert Mechanism

Monitor SMS usage and trigger alerts when thresholds are exceeded, allowing administrators to intervene quickly.

Even with these measures, complete elimination of abuse is impossible, so continuous monitoring is essential.

Postscript

A seemingly simple feature like SMS verification can become complex when considering security, user experience, and multi‑device compatibility. Developers should think about where to store verification codes (memory, cache, or database) and what length and content provide the best user experience.

Thoughtful design of each small function improves overall product quality and security.