Plexure validates the uniqueness of a consumer against the Username field.
When the app developer decides what field to use for the Username, the decision should be made how the uniqueness of the consumer should be identified.
Plexure does provide API's to change a consumers username should it be required in the future. For example if the consumer wanted to change their email address (or phone number) where they have changed, these can be exposed in a user interface (web, mobile or any other digital) directly to the consumers.
Here are a few examples that can be used:
1. Consumers can be asked for their email address. This can be set to both the Username and Email fields. This assumes nobody else has access to the consumers email or ever will.
2. Consumers can be asked for their mobile number. This can be set to both the Username and mobile number fields. Security should be considered if this mobile number might be recycled by a mobile network. For example, if there is a chance of another consumer getting this number in future then the phone number should not be used for a forgotten password flow to re-validate a consumer in the future.
Optionally consumers can be asked to verify their mobile phone or email to ensure that they are not providing a fake email or phone number. This is very useful when consumers are given free or high value discounts as rewards for signing up to the app. This forces the consumer to use a valid identification which discourages creating multiple accounts. Validation of email and phone numbers can be used and are described below.
These flows are unique to your specific scenario, contact Plexure to help set them up.
An email validation flow can be implemented that forces the consumer to verify their email address. Typically a customer would firstly register from within the mobile app. At this point the consumer is forced to have a default tag of "Registered-Unverified". Content and push messages could be targeted to unverified consumers to help them complete this process or run it again.
The Plexure system is configured so that an email will automatically be sent when the Registration event occurs. Once the consumer receives a verification email they need to clicks on a link within a given time frame (e.g. 24 hours), this link will take them to a web page that will confirm their identity using a verification token embedded in the web URL. This web page will update their consumer tag to "Registered-Verified". This web page could auto redirect to the app (if the consumer is on their mobile phone) or just confirm that the consumer can now open the app on their phone as they have successfully completed verification.
At this point the mobile app can tell the consumer is verified based on getting the list of consumers tags at startup (the Registered-Verified tag will be present).The app can then expose additional features to the consumer based on the presence of this tag.
Any email engine with an API can be used. It is important that the email sender and email server is valid and white listed. Plexure recommends use of SendGrid as the default option if there isn't one already available.
Mobile Phone Validation
For mobile phone number validation the consumer is asked at registration for their mobile phone number.
There are multiple flows that could be used and the choice is yours, here are some examples:
- A consumer could first be asked to validate a phone number and receive a code. The code could be required before finally registering the consumer in Plexure.
- A consumer could be registered in Plexure applying the consumer tag "Registered-Unverified". At this point the consumer can be sent a code via SMS to either into in a form in the app, or they can be sent a URL to click on which will validate their consumer id via web or directly into a deep link inside the app. Or both could be sent ("Enter this code or click on this link ...") After verifying their code the tag can be changed to "Registered-Verified". Content and push messages could be targeted to unverified consumers to help them complete this process or run it again.
is done during the registration process using the consumer registration API.
Typically developers choose to make the username and email address the same to automatically enforce email uniqueness.
Mobile SMS validation can also be used for the consumer to sign-in again in future simply by receiving an SMS code. This avoids the need for a consumer to remember a password. This assumes consumers phone numbers are permanently assigned to them and not recycled by the mobile provider. This is not good security practice if the consumers phone number is temporary (e.g. pay as you go) and may be used by another consumer in the future.