SMS-MO Authentication Flow

  • The Authentication flow verifies user identity for payment integration, serving as input for processes like associating accounts.

  • Google assists in selecting the optimal authentication mechanism during onboarding, such as SMS-MO, which involves sending an Authentication Request ID via SMS.

  • The SMS-MO flow involves the user, Google UI/device, Google server, Payment Integrator server, and Authentication Request ID, interacting to authenticate the user's identity.

  • The process begins with the user initiating the flow on a Google UI, triggering an SMS containing an Authentication Request ID sent to the Payment Integrator, which then validates the ID with Google.

  • Google might resend the Authentication Request ID via SMS if the session is nearing expiration or the user manually resends the message.

Authentication User Flow

Overview

The purpose of the Authentication flow is to identify and authenticate the user to the Payment Integrator (integrator).

Authentication is an input to other methods, particularly for associateAccount.

Google can also use the authentication flow in standalone mode to verify a user. In this case it is not used as an input to any other flow, but only to verify that a user is able to authenticate this identity.

Keep in mind that when you are onboarding, Google will work with you to choose the authentication mechanism that will best fit your product.

How the flow works

User authentication can be facilitated with an SMS message sent from the user's device to the Payment Integrator over the Integrator's cellular network.

SMS-MO Authentication

Short Message Service, Mobile Originated authentication flow utilizes a SMS containing an Authentication Request ID sent from the user's phone to the Payment Integrator to authenticate the user.

SMS-MO Authentication Flow

Here is a list of objects in the diagram and what they represent:

  • User: This is the person who wants to add a payment method to their Google account.
  • Google UI/Device: In this case, a Google phone app where the customer begins to setup a payment method.
  • Google Server: The backend server at Google that generates the SMS instructions with an Authentication Request ID and receives the authentication result from the integrator.
  • Payment Integrator Server: The backend server of the integrator that receives the authentication SMS and returns the Authentication Request ID to Google.
  • ARID: Authentication Request ID

Since this is an authentication flow, we already assume the user is using an app (Google UI) and is trying to add a payment method. This is where initialization begins.

  1. The User selects a Tokenized instrument to add.
  2. The Google UI calls the Google Server to initiate the SMS-MO Challenge.
  3. The Google Server returns SMS instructions, consisting of a destination and a body containing the Authentication Request ID.
  4. The Google UI sends the SMS to the Payment Integrator.
  5. The Payment Integrator Server calls the authenticationResultNotification endpoint on the Google Server with the Authentication Request ID.
  6. The Authentication Request ID is validated by the Google Server, which responds SUCCESS.
  7. The Google UI calls the Google Server to obtain the result of the authentication attempt.
  8. The Google Server response SUCCESS.