SMS-MO Authentication Flow

Authentication User Flow


The purpose of the Authentication flow is to identify and authenticate the user to the Payment Integrator (integrator).

Authentication is an input to other methods, particularly for associateAccount.

Google can also use the authentication flow in standalone mode to verify a user. In this case it is not used as an input to any other flow, but only to verify that a user is able to authenticate this identity.

Keep in mind that when you are onboarding, Google will work with you to choose the authentication mechanism that will best fit your product.

How the flow works

User authentication can be facilitated with an SMS message sent from the user's device to the Payment Integrator over the Integrator's cellular network.

SMS-MO Authentication

Short Message Service, Mobile Originated authentication flow utilizes a SMS containing an Authentication Request ID sent from the user's phone to the Payment Integrator to authenticate the user.

SMS-MO Authentication Flow

Here is a list of objects in the diagram and what they represent:

  • User: This is the person who wants to add a payment method to their Google account.
  • Google UI/Device: In this case, a Google phone app where the customer begins to setup a payment method.
  • Google Server: The backend server at Google that generates the SMS instructions with an Authentication Request ID and receives the authentication result from the integrator.
  • Payment Integrator Server: The backend server of the integrator that receives the authentication SMS and returns the Authentication Request ID to Google.
  • ARID: Authentication Request ID

Since this is an authentication flow, we already assume the user is using an app (Google UI) and is trying to add a payment method. This is where initialization begins.

  1. The User selects a Tokenized instrument to add.
  2. The Google UI calls the Google Server to initiate the SMS-MO Challenge.
  3. The Google Server returns SMS instructions, consisting of a destination and a body containing the Authentication Request ID.
  4. The Google UI sends the SMS to the Payment Integrator.
  5. The Payment Integrator Server calls the authenticationResultNotification endpoint on the Google Server with the Authentication Request ID.
  6. The Authentication Request ID is validated by the Google Server, which responds SUCCESS.
  7. The Google UI calls the Google Server to obtain the result of the authentication attempt.
  8. The Google Server response SUCCESS.