We are Putri, Anthony, Kevin, Michelle, and Albert from Cotter (https://www.cotter.app)
Cotter is an authentication SDK that lets users log in to your website/app securely using phone numbers, without a password.
We built Cotter because authentication that works in the US doesn’t work in Southeast Asia, India, LatAm, and Africa. People there prefer to use phone numbers to log in because they don’t use email and good passwords are hard to remember.
We come from Indonesia. Over there, in order to reach more people, mobile apps make their login easily accessible to everyone, which has resulted in the removal of emails and passwords. They made SMS based authentication a standard across sign up, login, and transactions.
However, SMS-based authentication comes with a security tradeoff and costs both users and businesses millions of dollars. Scammers have figured out several ways to extract verification codes via social engineering, SMS forwarding, and SIM-swapping. One of us has lost money due to SIM swapping and we've seen family relatives lose their digital wallet balances from social engineering. It’s easy for these scammers to extract the verification code from their target. The victims of this misconduct tend to be ride-hailers, online merchants, and other people whose income depends on mobile apps, so this issue can hit hard.
To address this, we've built a secure authentication SDK that has the convenience of only using a phone number but does not have those security drawbacks.
Cotter is unique in 3 ways. First, integrating with Cotter is very fast and easy - developers can provide a full-suite authentication including login, SMS one-time password, Trusted Device, Biometric, and PIN in just a few lines of code.
Second, Cotter works across apps/websites, just like Google Sign-In. Once the user’s phone number is verified in one app, the user doesn’t need to re-verify their phone number again in other apps - one user does not have to be verified over and over again.
Third, Cotter is secure. It works like Apple’s Trusted Devices where users can only log in from a Trusted Device. It also works from within your app (no third-party authenticator app). We are following the FIDO protocol for this. Cotter’s SDK generates asymmetric keys in your device, saves the private key in secure storage, and sends the public key to Cotter's server. Apps can choose to secure the keys using Biometric/PIN. Every time the app requests an authentication, either for a login or for a transaction, Cotter’s SDK will send a signature using the private key that the app’s server can verify.
How does Cotter make money? We charge $0.02/API call + Standard SMS Rates.
We would love to hear more about your experiences authenticating users! What are your biggest pain points and what services do you wish existed to solve those? We are also happy to discuss how we can make Cotter better and more secure. Either comment here, or shoot us an email anytime at [email protected].
Also, if you want to know more about integrating with us, you can check out our documentation at https://docs.cotter.app