I'd like to propose a new Web API to enable a more user-friendly and secure method for phone number verification: the Web Flash Call API.
The current standard for web-based phone number verification relies on SMS One-Time Passwords (OTPs). This method introduces significant user friction. Users must:
A superior alternative, flash call authentication, exists in the native app ecosystem. It works by placing an automated, single-ring call to a user's phone, with the caller ID containing a unique verification code. The native app then reads this code from the device's call logs to verify the user without any manual input. This is not possible on the web platform due to critical security sandboxing.
I propose a new, dedicated Web API that enables this functionality without compromising user security. The API would not grant a website direct access to a user's call logs. Instead, it would act as a secure, browser-managed "picker," similar to the Web Share or File System Access APIs.
The API would work as follows:
navigator.telephony.flashCall()
, passing the user's phone number.This approach provides a seamless user experience while strictly adhering to Chromium's privacy and security principles.
This proposal is designed to directly address the security concerns of accessing sensitive data.
This solution offers a pragmatic way to bring a critical native app feature to the web, improving the user experience for web-based applications that require phone number verification, such as web-based phone apps.
I look forward to your feedback and discussion.
Best regards,
Kebba
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/CAJPYs8kOq3CaezFq3tUqLiH3DSS1_CwwbHncj4okwUx%3D1K8jQg%40mail.gmail.com.
Not Clear to me either please explain how to used it.
I hope so too!
That's an interesting point. While both calls and SMS messages can be redirected in a SIM swap attack, the security benefit of using flash calls for authentication isn't about preventing the redirection itself. The advantage lies in the fact that it's a zero-trust method.Think about it this way: a flash call authentication doesn't rely on the user to receive and enter a code. Instead, it works by the system programmatically verifying the call from a pre-determined number, without the user ever picking up the phone. This removes the "human-in-the-loop" step, which is where many phishing and social engineering attacks succeed. It makes it much harder for an attacker who has hijacked a SIM to also trick the user into revealing a one-time password (OTP) or to bypass the security measure in real-time.Regarding the billing, you're right to question it. The service we've partnered with operates on a clear, pre-negotiated agreement. It's not about exploiting a loophole, but rather about leveraging an established service within the telecommunications network that provides a more secure and efficient authentication method. We have a direct partnership with the provider, and the terms of that agreement are in place. This ensures the service is reliable and sustainable, rather than being dependent on an temporary billing oversight.
Appreciate it bro
This e-mail is intended solely for the person or entity to which it is addressed and may contain confidential and/or privileged information. Any review, dissemination, copying, printing, or other use of this e-mail by persons or entities other than the addressee is strictly prohibited. If you receive this e-mail in error, please notify the sender immediately and delete the material from any computer.
Hey Reilly,Thanks for your thoughts fair point on the billing side, but let's set that aside for a moment since our partnership with our provider explicitly allows flash calls as part of our integration, so it's not an exploit but a supported feature in our setup. On the security front, while no phone-based method is invincible (e.g., SIM swaps hit both SMS and calls equally), flash calls do offer tangible advantages over SMS for verification in services.
Here's why:First, flash calls are inherently more resistant to remote interception. SMS relies on the SS7 protocol, which has well-documented vulnerabilities allowing attackers (even non-state ones) to eavesdrop or reroute messages globally without physical access to the device. Flash calls use voice signaling networks, which have fewer exploited weaknesses for this purpose, making them tougher for remote hacks like man-in-the-middle attacks on SMS.
Second, device-level threats are lower: Malware can easily read SMS inboxes (e.g., via Android permissions abuse), but flash calls display the code in the call log (via CLI), which is less accessible to apps without explicit voice permissions. This reduces risks from common phishing or trojans, where SMS fraud is rampant.
Finally, flash calls are faster and more reliable in low-signal areas, minimizing exposure windows during verification. Combined with our partnerships, this ensures seamless, carrier-backed delivery without loopholes, it's a deliberate design choice for better UX and security.
I'd love to hear more on your take, do you see any specific attack vectors I'm missing?
Kebba
On Sun, Sep 7, 2025 at 1:47 PM Kebba Jallow <kjal...@gmail.com> wrote:Hey Reilly,Thanks for your thoughts fair point on the billing side, but let's set that aside for a moment since our partnership with our provider explicitly allows flash calls as part of our integration, so it's not an exploit but a supported feature in our setup. On the security front, while no phone-based method is invincible (e.g., SIM swaps hit both SMS and calls equally), flash calls do offer tangible advantages over SMS for verification in services.Here's why:First, flash calls are inherently more resistant to remote interception. SMS relies on the SS7 protocol, which has well-documented vulnerabilities allowing attackers (even non-state ones) to eavesdrop or reroute messages globally without physical access to the device. Flash calls use voice signaling networks, which have fewer exploited weaknesses for this purpose, making them tougher for remote hacks like man-in-the-middle attacks on SMS.My understanding is that SS7 routing applies to SMS and voice equally, but this is not my area of expertise so I'll take your word for it if calls use a more secure routing network.Second, device-level threats are lower: Malware can easily read SMS inboxes (e.g., via Android permissions abuse), but flash calls display the code in the call log (via CLI), which is less accessible to apps without explicit voice permissions. This reduces risks from common phishing or trojans, where SMS fraud is rampant.This feels like a temporary benefit since if applications start requesting access to the call log to implement flash call authentication then we'll eventually have the same problem. The solution is better permission management across all APIs, not switching to a temporarily niche option. Android provides a secure option for developers to receive only SMS 2FA codes meant for their application.Finally, flash calls are faster and more reliable in low-signal areas, minimizing exposure windows during verification. Combined with our partnerships, this ensures seamless, carrier-backed delivery without loopholes, it's a deliberate design choice for better UX and security.This seems like a tangible benefit as I believe you're right that carriers prioritize call establishment messages over SMS traffic.I'd love to hear more on your take, do you see any specific attack vectors I'm missing?I think this covers it. Thank you for the discussion. For next steps, you'll need to find a Chromium developer interested in prototyping this feature. You should also reach out to the WebKit project for feedback from Apple developers. Documenting the benefits, trade-offs and existing alternatives will be helpful in making the case for investing in new work here.
Hello Chromium Devs,I'd like to propose a new Web API to enable a more user-friendly and secure method for phone number verification: the Web Flash Call API.
The ProblemThe current standard for web-based phone number verification relies on SMS One-Time Passwords (OTPs). This method introduces significant user friction. Users must:
- Leave the web application.
- Open their messaging app.
- Copy a code.
- Return to the web app to paste the code. This process is cumbersome and can lead to user drop-off. 😥
A superior alternative, flash call authentication, exists in the native app ecosystem. It works by placing an automated, single-ring call to a user's phone, with the caller ID containing a unique verification code. The native app then reads this code from the device's call logs to verify the user without any manual input. This is not possible on the web platform due to critical security sandboxing.
Proposed Solution: A Secure Picker APII propose a new, dedicated Web API that enables this functionality without compromising user security. The API would not grant a website direct access to a user's call logs. Instead, it would act as a secure, browser-managed "picker," similar to the Web Share or File System Access APIs.
The API would work as follows:
- A web application calls the proposed API, for example, navigator.telephony.flashCall(), passing the user's phone number.
- The browser's operating system displays a clear permission prompt to the user, requesting consent to listen for a flash call from the service.
- If the user grants permission, the browser's underlying platform listens for a single incoming call to that specific number.
- When the flash call is received, the browser securely extracts only the last few digits of the caller ID.
- This sanitized data is then passed back to the web application as a promise result. The web page never gets to see the full call log, and the process is completed automatically for the user.
- The web app can then send this extracted code to its backend for verification.
--
--
Chromium Developers mailing list: chromi...@chromium.org
View archives, change email options, or unsubscribe:
http://groups.google.com/a/chromium.org/group/chromium-dev
---
You received this message because you are subscribed to the Google Groups "Chromium-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-dev...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/chromium-dev/a1616e59-7820-4b8f-82f4-a20bcfe893d1n%40chromium.org.
Hi Reilly and Thomas,Thanks for the excellent insights.Reilly, you're spot on about the space constraints being a critical factor. For flash calls, it should indeed be enough room. The proposed system would only send a short 4-6 digit CLI. The critical piece for verification—the pre-asserted identity—will be the user's number, which is handled separately and used to authorize the call for the verification process. This approach is designed to be highly efficient and avoids the data limitations of a traditional caller ID.Thomas, that's a great data point about WhatsApp. Flash call verification is rapidly becoming the most trusted and frictionless method for phone number verification in native apps. The challenge you've identified with PWAs on Chrome—requiring manual input—is exactly the type of friction we need to solve to bring that same seamless experience to the web.I can't join your team as a developer, but I can definitely assist with this innovation. I can help with research, brainstorm potential solutions, provide technical documentation, and even generate code snippets and architectural ideas to help you move this project forward. How can I best support you in developing this?
I was just setting up WhatsApp on a new phone, and they work with a flash call by default, falling back to SMS or a picked up phone call. This is notably the native app, but a data point that flash calls are used in globally popular apps. https://faq.whatsapp.com/729321962119902