Case Study
Poppy, Belgium’s leading ridesharing company switched to SuperTokens in 1 day -
preventing 1,000s of Euros in daily fraud
April 06th 2023 • 10 minute read
Spun up secure OTP
authentication in
24h
Precise control over every step in their authentication flow
Complete elimination of SMS toll fraud and user fraud
About
Poppy is Belgium’s largest ride-sharing provider, with over 4000 company-owned and operated
vehicles.With one of the densest populations in Europe and traffic quickly becoming
unmanageable, Poppy has been able to step in to alleviate the congestion. Each one of Poppy’s
vehicles actively replaces 15 individually owned vehicles.
Overview
1 Problem
Poppy needed fine-tuned precision for their SMS OTP authentication. They were frequently
getting hit with SMS toll fraud, costing up to thousands of euros per day.
2 Process
Poppy’s CTO, Thibaut, was able to set up the majority of functionality in just a single
afternoon.
3 Results
After a seamless transition to SuperTokens, Poppy has complete control over their
authentication behavior with fraud all but eliminated.

“I have so many things to say about authentication.”
Thibaut
CTO at Poppy
The Premise
Poppy built a lean early product, while implementing choice off-the-shelf components like Google
Cloud and Firebase for authentication.
With most of their users on the move, the team
opted for phone number OTPs as a natural choice. However, they quickly ran into problems with
Firebase.
Firebase suffered deliverability issues with SMS, something which was crucial
for even basic authentication. However, Poppy was stuck with using Firebase’s baked-in SMS since
there was no option to integrate a third party service instead.
With SMS deliverability
as a key UX requirement, they decided to switch to Auth0 - which enabled them to integrate a 3rd
party service like Twilio. This improved deliverability but as they scaled, they were quickly hit
with toll fraud.
What is toll fraud?
Toll fraudsters use dozens or hundreds of
phone numbers to request OTPs to regions where sending an SMS is expensive, racking up your SMS
bill. Carrier operators reward the fraudsters with a portion of the generated charges.
Unfortunately, this is a rampant problem and many carriers turn a blind eye to this malicious
practice.
On several occasions, Poppy got daily bills for thousands of euros due to toll
fraud.
The solution to this was to add custom logic to determine when to send the OTPs -
including adding carrier blacklisting. It was impossible to stop the fraud in Auth0 or Twilio -
there were no endpoints or webhooks available to do this.
To make matters worse, they got
hit with an unannounced 12x price hike from their authentication provider after hitting an arbitrary
10k MAU count.
“If our cloud costs go through the roof, it’s impossible to make money”
KYC was another necessity for preventing fraud - this time from users. Common run-ins with fake
driving licenses and strawman enrollment meant Poppy needed to be able to prompt users with 3D face
scan challenges. And for the same reason, they also needed to ensure that each customer only had one
active session at a time.
The Process
Requirements:
Searching for their new authentication
solution, Thibaut and the team needed an ironclad plan with the following features:
‍
-
Passwordless and mobile support
- Customizable + able to limit sessions for fighting fraud
-
Open source for more security
After searching through HackerNews and Google for
alternatives to Auth0, they found that SuperTokens checked all the boxes.
As part of the
evaluation process, it was easy to grok the documentation and get technical guidance through the
Discord.

“RP was super responsive over Discord, it was incredible to talk to the founder right away. Every
challenge that I had, there was a clear answer on Discord or through documentation. Compared to
Auth0, it was a better match technically, and a better match on an organization.”
Thibaut
CTO at Poppy
It didn’t take long for Thibaut to make progress:
Some additional features like limiting sessions to one per user were added a week or two later.
SuperTokens’ flexibility allowed Thibaut and his team to:
- Get the best of both worlds with session + OAuth tokens
- Limit sessions to one per user
(impossible with other providers)
- Implement fine-grained control of when and how SMS OTPs are
sent
- Decorate sessions with metadataAnalyze login history
The partnership also made
sense from a “good fit” perspective. According to Thibaut, SuperTokens was the clear choice because of
its ability to ship fast, an incredibly active and invested technical founder, and clear documentation.
Results
Post-implementation, transitioning between auths was quick and painless.
Eventually when
there were only a few thousand people left on Auth0, Poppy simply asked their users to reset their
passwords and the switch off of Auth0 was complete.
“We supported both for some time - for six months. Customers didn’t know anything about it. At
around 5k volume, we restricted the remaining OTP’s to a day timeline to clear them out, and then
deleted them the next day. After that point, everything was switched over to SuperTokens.”
Since switching to SuperTokens, Poppy has continued growing from 38k to 62k approved drivers.
Scalability has been a non-issue with consultation with the SuperTokens team only to implement new
features.
The best part - Poppy’s full ownership over their OTP sending means they’ve
completely eliminated toll fraud and are set for any custom verification features they might need in the
future.
To watch entire case study discussion video please
click here
Share this article