Delivering one-time passwords (OTP) via voice call in China - twilio

Our app uses one-time passwords for 2FA. We use Twilio for delivering text messages and voice calls. However, according to their documentation (https://support.twilio.com/hc/en-us/articles/360016488474-Calling-Limitations-to-China) there are some regulations that do not allow such short voice calls:
Shorter contact use cases with calls averaging under three minutes (one-time passwords (OTPs), voice alerts, etc.) are incompatible with these new regulations
So, the question is, are there any ways of delivering OTPs via voice calls in China, maybe using some specific authorized local provider, or not?

So I have performed the research and unfortunately found out that international providers either say they do not support such scenario in the same way as Twilio communicated, or told that everything should work, but test shown that there are issues: some calls were missing, or reset automatically etc.
Checked this with TeleSign, Nexmo, Plivo and CheckMobi.
In the end I decided to find a Chinese provider who can do the same work. Tencent and Huawei Cloud provide such functionality only for Chinese companies and calling APIs from Chinese web servers.
The solution that showed that it works at least in test environment is Submail: https://www.mysubmail.com/
They have everything (like web site, docs etc) in Chinese, but the support speaks English so I managed to do all the tests I wanted.
The solution was not tested in production for now, so I'm still not 100% sure that it will work in all cases, but it is the best option I have found.

Related

Google IOT device on webhooks & post

Is there any way to create your own google IOT device based on webhooks and POST-request? Without using firebase, IFTT, node.js
Samples that Google are very poor, they don`t show all steps of creating your own app, they just showing how to deploy "their sample"
I tried to make action with dialogflow & webhook, it was pretty simple. Just processed JSON in POST request to Azure function.
But when I try to create IOT device, its ask me for fulfilment url and it does not even tries to reach that address. I read about action.device.sync, action.device.execute, it just does not communicate with the specified address, giving simulator some voice command doesn`t affect at all. Are there any ways to create IOT device to work with POST-requests & web-hooks?
The answer is it depends.
There are many different ways to do server-device communication: web sockets, local servers, hub/local control, polling, MQTT, and likely many others. All of these solutions have trade-offs, and work in particular circumstances. Depending on exactly what IoT device you want to build, its requirements and technical specs, and what cloud providers you are using, you may identify what works best.
If you run the sample, you'll see it is sending JSON requests to a server and expect JSON responses back. This is must like Dialogflow & a webhook. In this case, the smart home platform communicates solely with the server.
Your server can then communicate with the device in any way that you want. I'm not too familiar with Azure offerings. It might have an MQTT service as well, or some other sort of push notification service you might be able to use.
If you're seeing simulator issues, you may need to make sure your authentication is set up correctly, and you'll need to first complete account linking on your phone before you can use the simulator.

Does my app use crypting? Firebase

I use Firebase database, storage etc. in my application. When I uploaded my archive to Itunes Connect, it has asked me a questions about crypting. Do I use crypting in my application and etc.
I know, that Firebase uses https.
So the question is: If I use Firebase, what should I answer on this questions?
As of September 20th, 2016 (Dentons) the answer is almost always No. Unless you are a encrypted message provider like Signal, Telegram, Whatsapp or Snapchat - these export controls are no longer a concern. Nearly every app uses HTTPS these days and it defeats the purpose of the U.S. Export Registry if every app needs to be registered.
The countries that are export restricted are people you don't normally want as customers; Syria, North Korea ect... and are typically restricted from using apps for more fundamental reasons - like not having cellphone towers or even the ability to buy a cellphone. It is common for backend services like Firebase and Google to blacklist export-restricted IP spaces, so they won't be able to connect even if they get the app.

How to de-duplicate notifications between native and progressive web app?

If I have both a native app and a progressive web app using web push notifications powered by service worker, is there a way to prevent a user from receiving duplicate notifications if they opt in to receiving notifications from the web site and also have the app installed?
In short - there is no easy way to do this today.
There is a discussion on Chrome here on this: https://code.google.com/p/chromium/issues/detail?id=402223
The last comment from October 2015:
For now the safest minimal solution is for sites to provide an easy
opt out mechanism (which we strongly recommend you do anyway!) so
users can turn off notifications from one platform
Another possible heuristic based solution is to take some measure for
which interface (web or native) the user most often uses (or most
recently used) and only send to that. Combined with grouping these
devices by rough screen size should give a pretty good approximation.
The issue is that if the user has two similar sized devices and uses
native on one and web on the other then notifications will only be
delivered to one, which is an edge case.
We've also been discussing building an API so sites can tell whether
their corresponding native app is installed to avoid this case, but
need to start discussing that with other browser vendors to see if
they'd be supportive.

is it possible to programmatically send an sms via a free google (or other) service?

I'm running a Ruby on Rails application that I'm looking for a method to send some notifications via SMS (not many, just on critical failures).
It seems like this may be possible via google talk or google voice. Does anyone know how to do this?
Have a look at Twilio. They might not be entirely free, but if you want to reliably send SMS on critical errors that might be worth more than a free option that might not work that reliable.
What's more, they have an excellent twilio-ruby gem that allows you to send SMS very nicely from any app.
Pricing with Twilio depends on the country you're sending your text to, for the U.S. it would be 1 Cent for each outbound SMS.
If you get to know any free solution let me know.
Disclaimer, I do developer evangelism part time at Nexmo.
If you're only sending notifications to yourself, you may be able to just use an email alias for your cell number.
But if you're doing anything significant, the best solution is likely an SMS API. There are a few providers (this list isn't complete, but it's what I'd consider using) - pricing is in cents per message (depends on the API and destination, but hovers around a cent or two). You may be required to provision a virtual number depending on your country - pricing there is generally dollars/month (again, depends on API and destination, hovers around a dollar or two).
Nexmo
Twilio
Tropo

Twilio Voice: Tracking a user from website to twilio phone call?

I'm trying to see if this is even possible in twilio. I'm hoping maybe someone's had a similar challenge and came up with a creative solution...
Our company has a unique phone number that's only displayed on our website. I've been asked if it's possible to find out not only how many calls we're getting (which is simple enough to track in twilio), but also who's calling. Basically, they want to follow the details of a users activity. From website to phone call.
Theoretically, they'd like something like this:
A user, lets call him John, comes to the website & is assigned a unique id of "12345". The id is stored in a cookie for returning users (this I can already handle).
If John calls the phone number displayed on the website, we...somehow through the use of twilio...know it's user #12345.
We can then create monthly reports stating user #12345 called the phone number 7 times this month for a total of 18 minutes.
There's so many "what if's" that go into this, that I'm just not sure it's even possible, but perhaps someone knows of a creative way this can work? A few things I've considered, but none of them are foolproof:
Tracking a combination of John's geographical location while browsing the website and the time of web browsing, then using twilio voice to track the geographical location & time of the phone call, to make a best guess. The problem is it sounds like twilio voice isn't always great at providing geo location.
Tracking mobile click to calls on the website, then matching the time of the click to the time of the phone call. Several problems with this, including multiple users calling at the same time, and we'd only be tracking those who browsed the website via mobile, then clicked to call.
For mobile click to call, passing the user's id via a phone extension, which twilio then reads (not sure if this is even possible in twilio). But again, this would be limited to mobile users.
So, I'm just not sure if this is even possible. Any idea's on how this could be implemented?
Thanks so much for any help.
Twilio developer evangelist here.
Have you considered making it possible to make the calls through the website itself? If you implemented Twilio Client you would be able to directly track users who called from the website and they'd be able to do so without picking up the phone too. That direct connection would allow you to make the calls more personal too, as you'd know exactly which user was calling.
Check out the tutorial on implementing browser calls in Twilio and let me know what you think.
I can't think of any straightforward ways to connect a user's browsing session to a phone call made with a different device though. You could ask the user to input their ID in order to start the call, using <Gather> to receive the input and tie that call to the user and whether they currently have a live session on the site. That might be an unnecessary barrier to people calling though, so you'd have to weigh up that option.

Resources