gitpod
gitpod copied to clipboard
gitpod-io
Add Phone Verification for new Users
In order to reduce the ever increasing amount of abuse on Gitpod, we'd like to make it hard for such people to get onto Gitpod. The hypothesis is that phone number verification would add an extra step that can reduce the amount.
The verification should happen before after signup but before they can start their first workspace. We could further reduce the friction for good users by whitelisting based on certain criteria (e.g. age of GH or GL account).
The verification should only be active on SaaS and we should make use of an external service such as Twillio's Verify.
See design specs below. 🥯
Cross-posting also some relevant meeting notes (internal) and two relevant RFCs[1][2] (internal).
Moved this also to Scheduled (ETA: ~10 days) in product design board. 🎹
Moving this to In Progress to catch up with the recently open https://github.com/gitpod-io/gitpod/pull/11346. Cc @svenefftinge
Adding below some early designs on how the flow could look like, depending on the third party service API flexibility and if we're going to also block or allow dashboard access when a user has not completed user validation:
| Modal (Empty) | Modal (Input) | Modal (Invalid Input) |
|---|---|---|
 |
 |
 |
| Verification (Sent) | Verification (Resent) | Verification (Input) | Verification (Invalid Input) |
|---|---|---|---|
 |
 |
 |
 |
| Verification (Progress) |
|---|
 |
| Validation Required Alert |
|---|
 |
See design specs.
Phone number verification example from Kaggle: https://www.loom.com/share/0e7d8b3bf7d2422aa6770ca37089d349
Currently there is a modal pop-pup without data protection note, no explanation how you use the phone number, no opt out, no link to a data protection statement - all of which appears to be in violation of GDPR and related frameworks. In doubt, check with your data protection officer.
Heya, I'm trying to set up GitPod at work as part of a paid organization and I encountered this step. My company is already paying for GitPod service; I shouldn't be required to provide additional personal information just to use the tool we bought. Additionally, as @crcdng notes, there's no statement here about how this info will be stored or used.
Is there a way that I can set up GitPod for a paid organization so that members of the team aren't asked to provide additional personal information at setup?
The privacy policy (which is not directly accessible form this modal) says:
When registering for a Gitpod account, we use Twilio Verify, provided by Twilio, Inc. as our phone number and user account verification service to detect fraud and abuse, which is integrated with the SaaS version of our product. The information processed in this system includes your phone number. For more information, you can refer to Twilio’s privacy policy at https://www.twilio.com/legal/privacy
Hi @tomlowenthal, thank you for sharing feedback. You can subscribe to https://github.com/gitpod-io/gitpod/issues/17583
It seems like you are experiencing issues with authorization. When you enter the code "6", the "Validate Account" button remains inactive. However, if you enter "66666", the "Validate Account" button becomes active.
