How to verify that a phone number belongs to a person?

Some thoughts...

* Make the default that they call into the system and the system validates their phone number through caller ID that Twilio provides; only if caller ID cannot be detected or fails do you let them do an outbound call
* When the user starts the signup process from an IP address outside the U.S. (or whatever white list you build), it doesn't allow outbound calls; this could escalate into a human driven support system if you want.
* Require them to fill out a CAPTCHA (e..g type in these letters)
* Offer a way in the outbound call to prevent it from ever calling back (we do this for TweetToCall)
* Have a throttle on the overall number of outbound calls the system will make over a given time period (e.g. after 60 calls in an hour temporarily shut down new user provisioning and send you or a maintenance person an emergency call to manually audit the system); this is a sort of firewall if all of the above measures fail or there is a bug in the system

There are also passive measures you can take around logging outbound calls and the IP address that initiated them so you can monitor what's going on.

Kevin Morrill
http://socialkind.com/
Contact us if you need projects built on Twilio