Along with two-factor authentication (2FA), Hosted Login v2 provides additional protection for a user’s email address and mobile device number. In Hosted Login v1:
- A user’s email address is found on (and can be changed from) the user profile’s Personal Data screen.
- A user’s password can changed from the user profile’s Account Security screen.
- By default, the user’s mobile device number can’t be found on any of the user profile screens (although it’s easy to add that field to any of your user profile forms).
In addition to the disparate locations, Hosted Login v1 mostly treats the three attributes in question – email, password, and mobileNumber – as being no different than any other attribute. Yes, if you change your email address or password you’ll be sent a transactional email alerting you to the change. But that’s about it: beyond that there isn’t much difference between the email attribute and, say, the middleName attribute.
That’s definitely not the case with Hosted Login v2, however. For one thing, in Hosted Login v2 the email, password, and mobileNumber attributes aren’t scattered throughout the user profile. Instead, all three attributes are accessible from the Account Security screen:
Furthermore, the v2 approach to these attributes (or at least to email and mobileNumber) go well beyond what you find in Hosted Login v1. As you can see in the preceding screenshots, the v2 user profile explicitly states that the user’s email address has been verified; that’s something that the Hosted Login v1 user profile doesn’t do. There’s also a pencil icon located next to the email address. You must click this icon if you want to change your email address (we’ll have more to say about that in a moment). Again, that’s different from the way the email address is handled in Hosted Login v1; in that version of Hosted Login, the email address is just another field on the user profile’s Personal Data screen:
A similar pencil icon is found next to the Password property: click that icon if you want to change your password.
Note, too that, the user password has been masked using asterisks: passwords aren’t visible to anyone, including the user who owns that password.)
And, to be fair, we should point out that this is similar to the way passwords are changed in Hosted Login v1; the major difference is that, in the v1 version, you can change your password without having to first click an edit icon.
Finally, there’s the most-notable “outlier” in the v2 screenshot: Mobile Number. As you may recall from the screenshot, following their initial login the user’s mobile number doesn’t have a listed value. In addition, it has a + icon instead of a pencil icon:
So: 1) why isn’t the mobile number shown; and, 2) what is the + icon for?
To begin with, there’s no value listed for the mobile number because the user hasn’t supplied a value. By extension, then, there’s no pencil icon because there’s nothing to edit. Instead, the + icon gives the user the opportunity to add a mobile number; clicking that icon displays the following screen:
This is where Hosted Login v2 differs radically from its predecessor. On this screen, the user enters their mobile number and then clicks Continue. In turn, an access code is sent (using SMS: short message service) to the phone number supplied by the user:
In addition, the Account Security screen updates to look like this:
The user must retrieve the verification code from their mobile device and enter it into the Verification Code Required screen: the user’s mobile number will not be changed until they’ve entered a valid code. That’s something that must be done within 5 minutes: verification codes have a very short lifetime.
Note. So what happens if the user leaves their user profile before entering the verification code? Literally nothing happens: the user’s mobile device number will not be changed. If the user wants to enter a mobile device number the next time they access their user profile, they’ll have to start all over again.
Incidentally, this verification process occurs even if two-factor authentication has been disabled. In Hosted Login v2, 2FA determines whether or not users have to provide a verification code during logins and registrations; however, 2FA does not determine whether or not a verification code must be provided if a user changes his or her email address or mobile number. Those verification codes are always required, regardless of whether or not 2FA is enabled.
If a valid verification code is provided, then the user profile is refreshed to look like this:
As you can see, a mobile number is now listed and is marked as being verified. In addition, a trashcan icon is displayed: click that, and the mobile number will be deleted.
Note. How come there’s no trashcan icon next to Email Address or Password? That’s easy: because you can’t delete your email address or password. You can change an email address or password, but you can’t get rid of either one altogether: you must have an email address and a password. By contrast, you can get rid of a mobile number: users are not required to have a mobile device number.
And while we’re at it, we should mention that, at this point in time, users are limited to one email address and one mobile device number. To allow users to enter, say, a backup email. address or phone number, you’ll need to modify your schema and your forms to allow for that.
This same verification process is invoked if a user tries to change their email address. If the user clicks the edit icon next to Email Address, the following screen appears:
After the user enters a new email address and clicks Continue, a verification code is sent to the supplied address and this screen is displayed:
And yes, you’re way ahead of us: the user must retrieve the verification code from their email, type that code into the Enter Verification Code field, and then click Continue. If the verification code is valid, only thenwill the email address be changed.
Just like the mobile device number, this verification process is applied to email addresses regardless of whether or not two-factor authentication is enabled.
A Few Notes on Entering Mobile Numbers
Phone numbers are often a major headache, both for the users who are trying to enter those numbers and for the organizations that are trying to make use of those numbers. These headaches can almost always be traced to the phone number formats that are (or are not) allowed. For example, consider a US resident with the phone (425)-555-5399. Which of the following formats can the user employ when entering their phone number:
425 555 5399
(425) 555 5399
Oh, wait: do you need to include the calling code? If so, then which of these phone number formats are valid:
1 425 555 5399
1 (425) 555 5399
No doubt you’ve seen this problem yourself.
So how big of a headache is it for users to enter a phone number in their Hosted Login user profile? As it turns out, not much of one: after all, any of the preceding phone number formats will work just fin. And that mean, both the numbers that include the calling code and the numbers that don’t.
When adding a mobile phone number to your user profile, the first thing you should do is select your region from the dropdown list:
Note. By default, United States is preselected for you. See Appendix A for a complete list of regions and their calling codes.
After you select a region, enter your phone number. You can enter a formatted number (like 425.555.5399) or you can enter an unformatted number (4255555399). Either way, as soon as you exit the phone number field that number will be reformatted to fit the selected region. For example, a US phone number will end up looking like this:
Note. Although Hosted Login can recognize, and convert, phone numbers formatted in a number of ways, you might encourage your users to simply enter the digits: no spaces, no hyphens, no periods, no whatevers. Just enter the digits and let Hosted Login worry about the formatting.
When this phone number is written to the user profile, it (as well as the mobile numbers for other users, regardless of their region or calling code) will look something like this:
Storing phone numbers in a standard format makes life easier for administrators to search for, say, all the US residents who live in the 425 area code.
But there’s more to mobile number validation than just normalizing the phone number format. In addition to formatting, Hosted Login can do some validation that helps ensure that a phone number at least could come from the region in question. For example, in Costa Rica mobile numbers must start with an 8. So what happens if you enter 78901234 as a Costa Rican phone number? This happens:
Change the initial digit to an 8, and you’re back in business:
Similarly, Danish phone numbers are 8 digits long. If you enter a 7-digit phone number you’ll get the following error:
But once you add the eighth character:
- Requiring Email Address Verification Without Enabling Two-Factor Authentication
- Appendix A: Mobile Phone Number Regions and Calling Codes