Case Study
Poppy, Belgium’s leading ridesharing company switched to SuperTokens in 1 day - preventing 1,000s of Euros in daily fraud
April 06th 2023 • 10 minute read
Transportation
Spun up secure OTP
authentication in
authentication in
24h
Precise control over every step in their authentication flow
Complete elimination of SMS toll fraud and user fraud
About
Poppy is Belgium’s largest ride-sharing provider, with over 4000 company-owned and operated vehicles.With one of the densest populations in Europe and traffic quickly becoming unmanageable, Poppy has been able to step in to alleviate the congestion. Each one of Poppy’s vehicles actively replaces 15 individually owned vehicles.
Overview
1 Problem
Poppy needed fine-tuned precision for their SMS OTP authentication. They were frequently getting hit with SMS toll fraud, costing up to thousands of euros per day.
2 Process
Poppy’s CTO, Thibaut, was able to set up the majority of functionality in just a single afternoon.
3 Results
After a seamless transition to SuperTokens, Poppy has complete control over their authentication behavior with fraud all but eliminated.
“I have so many things to say about authentication.”
Thibaut
CTO at Poppy
The Premise
Poppy built a lean early product, while implementing choice off-the-shelf components like Google Cloud and Firebase for authentication.
With most of their users on the move, the team opted for phone number OTPs as a natural choice. However, they quickly ran into problems with Firebase.
Firebase suffered deliverability issues with SMS, something which was crucial for even basic authentication. However, Poppy was stuck with using Firebase’s baked-in SMS since there was no option to integrate a third party service instead.
With SMS deliverability as a key UX requirement, they decided to switch to Auth0 - which enabled them to integrate a 3rd party service like Twilio. This improved deliverability but as they scaled, they were quickly hit with toll fraud.
What is toll fraud?
Toll fraudsters use dozens or hundreds of phone numbers to request OTPs to regions where sending an SMS is expensive, racking up your SMS bill. Carrier operators reward the fraudsters with a portion of the generated charges. Unfortunately, this is a rampant problem and many carriers turn a blind eye to this malicious practice.
On several occasions, Poppy got daily bills for thousands of euros due to toll fraud.
The solution to this was to add custom logic to determine when to send the OTPs - including adding carrier blacklisting. It was impossible to stop the fraud in Auth0 or Twilio - there were no endpoints or webhooks available to do this.
To make matters worse, they got hit with an unannounced 12x price hike from their authentication provider after hitting an arbitrary 10k MAU count.
With most of their users on the move, the team opted for phone number OTPs as a natural choice. However, they quickly ran into problems with Firebase.
Firebase suffered deliverability issues with SMS, something which was crucial for even basic authentication. However, Poppy was stuck with using Firebase’s baked-in SMS since there was no option to integrate a third party service instead.
With SMS deliverability as a key UX requirement, they decided to switch to Auth0 - which enabled them to integrate a 3rd party service like Twilio. This improved deliverability but as they scaled, they were quickly hit with toll fraud.
What is toll fraud?
Toll fraudsters use dozens or hundreds of phone numbers to request OTPs to regions where sending an SMS is expensive, racking up your SMS bill. Carrier operators reward the fraudsters with a portion of the generated charges. Unfortunately, this is a rampant problem and many carriers turn a blind eye to this malicious practice.
On several occasions, Poppy got daily bills for thousands of euros due to toll fraud.
The solution to this was to add custom logic to determine when to send the OTPs - including adding carrier blacklisting. It was impossible to stop the fraud in Auth0 or Twilio - there were no endpoints or webhooks available to do this.
To make matters worse, they got hit with an unannounced 12x price hike from their authentication provider after hitting an arbitrary 10k MAU count.
“If our cloud costs go through the roof, it’s impossible to make money”
KYC was another necessity for preventing fraud - this time from users. Common run-ins with fake driving licenses and strawman enrollment meant Poppy needed to be able to prompt users with 3D face scan challenges. And for the same reason, they also needed to ensure that each customer only had one active session at a time.
The Process
Requirements:
Searching for their new authentication solution, Thibaut and the team needed an ironclad plan with the following features:
- Passwordless and mobile support
- Customizable + able to limit sessions for fighting fraud
- Open source for more security
After searching through HackerNews and Google for alternatives to Auth0, they found that SuperTokens checked all the boxes.
As part of the evaluation process, it was easy to grok the documentation and get technical guidance through the Discord.
Searching for their new authentication solution, Thibaut and the team needed an ironclad plan with the following features:
- Passwordless and mobile support
- Customizable + able to limit sessions for fighting fraud
- Open source for more security
After searching through HackerNews and Google for alternatives to Auth0, they found that SuperTokens checked all the boxes.
As part of the evaluation process, it was easy to grok the documentation and get technical guidance through the Discord.
“RP was super responsive over Discord, it was incredible to talk to the founder right away. Every challenge that I had, there was a clear answer on Discord or through documentation. Compared to Auth0, it was a better match technically, and a better match on an organization.”
Thibaut
CTO at Poppy
It didn’t take long for Thibaut to make progress:
Some additional features like limiting sessions to one per user were added a week or two later.
SuperTokens’ flexibility allowed Thibaut and his team to:
- Get the best of both worlds with session + OAuth tokensInvalidate tokens
- Limit sessions to one per user (impossible with other providers)
- Implement fine-grained control of when and how SMS OTPs are sent
- Decorate sessions with metadataAnalyze login history
The partnership also made sense from a “good fit” perspective. According to Thibaut, SuperTokens was the clear choice because of its ability to ship fast, an incredibly active and invested technical founder, and clear documentation.
SuperTokens’ flexibility allowed Thibaut and his team to:
- Get the best of both worlds with session + OAuth tokensInvalidate tokens
- Limit sessions to one per user (impossible with other providers)
- Implement fine-grained control of when and how SMS OTPs are sent
- Decorate sessions with metadataAnalyze login history
The partnership also made sense from a “good fit” perspective. According to Thibaut, SuperTokens was the clear choice because of its ability to ship fast, an incredibly active and invested technical founder, and clear documentation.
Results
Post-implementation, transitioning between auths was quick and painless.
Eventually when there were only a few thousand people left on Auth0, Poppy simply asked their users to reset their passwords and the switch off of Auth0 was complete.
Eventually when there were only a few thousand people left on Auth0, Poppy simply asked their users to reset their passwords and the switch off of Auth0 was complete.
“We supported both for some time - for six months. Customers didn’t know anything about it. At around 5k volume, we restricted the remaining OTP’s to a day timeline to clear them out, and then deleted them the next day. After that point, everything was switched over to SuperTokens.”
Since switching to SuperTokens, Poppy has continued growing from 38k to 62k approved drivers. Scalability has been a non-issue with consultation with the SuperTokens team only to implement new features.
The best part - Poppy’s full ownership over their OTP sending means they’ve completely eliminated toll fraud and are set for any custom verification features they might need in the future.
The best part - Poppy’s full ownership over their OTP sending means they’ve completely eliminated toll fraud and are set for any custom verification features they might need in the future.
To watch entire case study discussion video please click here
Share this article
