Mobile application registration process is getting challenged due to security factors, may applications follows simple short code based authentication process to avoid registration mock calls coming outside the mobile devices.
Implementing this functionality with SOA concepts will provide more flexibility to reuse the functionalities for different purposes. Made initial version of service flow which depicts registration request handling system.
In the design,
- User Device represents the device on which the mobile application will be deployed.
- Back-end Service is SOA service developed in the REST / SOAP based interface.
- SMS Delivery Platforms like Twilio, Bulk SMS, etc. cloud services.
- Database holds the accounts for the users.
- Statistics Interface provides graphical statistics for the number user accounts applied for the registration, pending for the verifications, failed to authenticate, etc.
User will register their MSISDN / mobile number with application, which triggers registration request to back-end service. The SOA service will generate a short code and transmits to the user mobile device via SMS delivery platform.
Back-end service will create account and stores the account in the "Pending Verification" queue. If the SMS sending fails for any reasons, account will be stored in the "SMS Retry Queue" and SMS will be tried to redeliver for 3 times in the configured interval.
Once user enters the short code for verification or mobile application sense the short code SMS for automatic verification, authentication request will be triggered to the back-end service for verification with following details.
- Device Details including type of OS (Android, IOS, Windows, etc.)
- Device auto generated password
On successful verification Back-end service will move the account to the active state and stores the device and its authentication details. Back-end service establishes the push notification setup for the newly registered device and ends the registration process with success response and authentication token for future requests.
This design wont cover other uses cases with registration follow, which includes following,
- When user moves from one device to another and want to continue with existing account / mobile number.
- When user changes the mobile number in the existing authenticated device.
This design will evolve with federation and other SOA security design principals.
