Vonage Silent Authentication Is Now in Beta
Published on April 16, 2024

We're pleased to announce that as of the 27th of March, Vonage's Silent Authentication within the Vonage Verify API is now in Beta! We announced the addition of this functionality back in January last year, but there are some best practices and efficient ways to implement the API that I'll go through.

What is Silent Authentication?

Silent Authentication is a new authentication mechanism designed as an alternative to the One-Time-Password (OTP) industry standard of Two-Factor Authentication. The de-facto usage of OTP is currently to send a code or PIN to a device for verification or to use a third-party tool such as Google Authenticator to generate an encrypted, time-sensitive code that the user can send for verification that is also set up server-side.

Vonage's Silent Authentication eliminates the need for a second step in this process by integrating with your applications to create a seamless "one-click" trace in an HTTP request to determine the authenticity of the user.

How Does It Do That?

In a Silent Authentication request, Vonage checks your Subscriber Identity Module (SIM) to make sure it matches the carrier's records. You can read more about Vonage's new Network APIs introduced earlier this year, which include another similar layer of security through an API called SIM Swap. SIM Swap works by checking how long a users' SIM card has been active on the device being used. To work, the authentication must be started by the user's device using a cellular connection only - this makes it a little tricker for web application integrations but within native mobile apps you can use Vonage's Android SDK or iOS SDK to force the connection through cellular.

There is a big tradeoff here between end users and developers. Essentially, for users, authentication becomes one seamless process, reducing the authentication process to a click of a button. Under the hood though, developers need to understand the underlying complexity to implement it. For example, here is the workflow if you are using a web application running NodeJS:

Diagram showing the Silent Authentication FlowDiagram showing the Silent Authentication Flow

This includes some best practices as well as the vanilla integration - you'll notice that the request_id value is being stored in a cookie. Because of the workflow needing to go back and forth with the server several times, the workflow is vulnerable to a Person-in-the-middle attack. The code on the server can prevent this by storing and checking that the request_id matches throughout the workflow.

It's worth noting that the example workflow above is for the Synchronous implementation. You can use Silent Authentication asynchronously using webhooks. The implementation for doing this asynchronously would be more difficult to document effectively, however, so we've stuck to explaining only the former. You can read more about asynchronous callbacks here.

Silent Authentication Code Examples

There are some existing cURL examples in the article I wrote when we announced the alpha release, but we're a little bit further down the line now and I'd expect you'd want to see some actual examples of it being used in practise, right?

No problem. There are two quick ways to see it in practice:

The express app example and its corresponding tutorial shows the plainest example of sending and parsing the requests you get back from the API.

For a more framework-oriented example, I have created the Silent Authentication Laravel app demo. Yes, it's php and Laravel, but if that's not your thing then the implementation should be readable and portable to other frameworks. Laravel, for instance, was influenced by and now also influences Ruby on Rails and within the PHP world, Symfony was influenced by and influences Python's Django, and Java's Spring Boot. Fancy Authentication for all!

Silent Authentication is part of Vonage's Verify V2 - so, you have options available to you if, for example, the Silent Authentication workflow fails because either the territory is not supported or the device is connected via WiFi. You have other workflows available, so to fall back to an OTP delivered via SMS, you can add it at the start of the workflow. Within the code, a request would look like the following in cURL:

curl -X POST https://api.nexmo.com/v2/verify \ -H "Content-Type: application/json" \ -H "Authorization: Bearer XXXXX" \ -d '{"brand": "Your Brand", "workflow": [ {"channel": "silent_auth", "to": "447700900000"}, {"channel": "sms", "to": "447700900000"} ] }'

Under the workflow array, you can specify several options in the order you want to attempt authentication.

Conclusion

Security through authentication is becoming more and more of an essential aspect of modern applications. This is the reason why Vonage's Network APIs can be thought of as the start of "building blocks" of security within your app. Silent Authentication, in a similar way, is designed to be added as the first attempt at user authentication security before falling back to other methods such as SMS or Voice.

Got questions? You can sign up to our community Slack or tag us on X.

James SecondeSenior PHP Developer Advocate

A trained actor with a dissertation on standup comedy, I came into PHP development via. the meetup scene. You can find me speaking and writing on tech, or playing/buying odd records from my vinyl collection.

Ready to start building?

Experience seamless connectivity, real-time messaging, and crystal-clear voice and video calls-all at your fingertips.