Provide phone number verification via SMS OTP using Prav app
Pirate Praveen
Public
Seen by 21
Currently we provide accounts on request and it involves a manual process. Prav is looking for gratis XMPP providers as a fallback option since Prav accounts need subscription and some people may not be able to/ want to pay. See https://codeberg.org/prav/pravserver/issues/21 for details. This would help us avoid the manual processing (we can still offer that to people who don't want phone number verification for more privacy) and prevent spam sign ups to a large extend (creating many phone numbers would be costly and riskier to do anonymously).
We will need to provide a component API to create users (may be later for directory query) and access to prav server to connect to this end point. ejabberd already has the required component code, we will have to write a component for prosody.
Poll Created Mon 10 Mar 2025 7:27AM
Allow Prav app to create durare.org accounts after verifying phone number with SMS OTP Closed Mon 31 Mar 2025 7:00AM
We have addressed concerns about handling phone numbers raised by kannan and buster, also about spam by perry. We can allow sign ups, provided custom username is mandated for durare.org accounts.
What is the decision you need to make?
We should allow Prav app to create durare.org accounts after verifying phone number with SMS OTP.
Why is this important?
This will make creating durare.org accounts easier / automated, at the same time preventing spam sign ups by verifying phone number. We will still keep the manual sign up option for people who don't want to use Prav app to sign up.
What are you asking people to do?
Support this proposal so we can move forward with this collaboration with Prav. We will have to find volunteers or raise funds to pay someone to add prosody support to Prav Server.
For this proposal to pass, we need the majority of members to vote Agree.
If you Disagree, say why and what needs to change for you to Agree.
Results
| Results | Option | % of points | Voters | |
|---|---|---|---|---|
|
|
Agree | 85.7% | 6 |
|
| Abstain | 14.3% | 1 |
|
|
| Disagree | 0.0% | 0 | ||
| Block | 0.0% | 0 | ||
| Undecided | 0% | 46 |
|
7 of 53 people have participated (13%)
Pirate Praveen
Mon 10 Mar 2025 7:27AM
This would benefit both projects and make things easier for people. They get an option to join Prav directory.
perry
Mon 10 Mar 2025 7:27AM
Prav currently uses only phone number verification. While this might prevent spam to an extend, there is no guarantee that people having conservative, traditionalist views won't join the server.
There were some accounts on the diaspora instance at diasp.in who posted misinformation on genocides and religious and racial minorities everyday. I'm not sure verifying phone number will prevent that kind of spam.
Pirate Praveen Tue 18 Mar 2025 9:01AM
Even if we are creating accounts manually the type of posts you mentioned cannot be prevented. So we are not really doing anything less than what we already do, rather doing more checks. Right now, they only need an email address. Now we are just adding an option to do this automatic if they share a phone number.
Badri Sunderarajan
Mon 10 Mar 2025 7:27AM
It's a good idea to collaborate with more projects, and the fact that Durare uses Prosody instead of ejabberd will help ensure that any solutions we come up with are generically applicable (and not installation-specific, as tends to happen if we only test against a single setup).
Kannan V M
Mon 10 Mar 2025 7:27AM
As durare is a free software community hosted project, I would recommend it to collect minimum possible data, phone number can be an identifiable information, which will add more liability in our side.
Pirate Praveen Tue 18 Mar 2025 7:08PM
@Kannan V M we could ask prav to make custom username mandatory for durare.org accounts. Then phone number will be stored only in prav directory, we don't need to store it.
Pirate Praveen Sun 23 Mar 2025 8:13AM
If only Prav collects this information and not durare.org, does that address your concern ? Prav is prepared to collect phone numbers and has a privacy policy that talks about collecting phone numbers.
Buster Keaton
Mon 10 Mar 2025 7:27AM
Same concern as of Kannan. Phone numbers of future Durare users will be on Prav server, and as a result maybe they are discoverable via phone numbers too? What if users want to have account at both at prav and durare? Will it be linked and and identified through query by other users? I wouldn't want that.
The only advantage I see for durare is of no manual account processing. It will be of help to volunteers, but I don't want to have more liability on our side.
Pirate Praveen · Tue 18 Mar 2025 8:37AM
@perry diaspora and xmpp has different models. In case of diaspora, we, server admins have to deal with spam. But in XMPP every group admin can deal with spam in their own groups. And in general people can report spammers in individual chats and we have to deal with that anyway.