Offer phone verification exemption for medium risk users
What does this MR do and why?
When a user has a Medium risk score (or a Low risk score when the phone_verification_for_low_risk_users experiment is enabled and the user is in the candidate group of the experiment), offer to verify their credit card instead of their phone number.
Issue: https://gitlab.com/gitlab-org/modelops/anti-abuse/team-tasks/-/issues/434
Screenshots or screen recordings
| Before | After |
|---|---|
 |
 |
How to set up and validate locally
-
Enable identity verification
Feature.enable(:identity_verification) Feature.enable(:identity_verification_phone_number) Feature.enable(:identity_verification_credit_card) ApplicationSetting.current.update(email_confirmation_setting: 2, require_admin_approval_after_user_signup: false) -
Visit http://localhost:3000/users/sign_up, create a new account and stop when on the identity verification page (
http://localhost:3000/users/identity_verification) -
Update the new created user's risk score to
MediumUser.last.custom_attributes.create!(key: UserCustomAttribute::ARKOSE_RISK_BAND, value: Arkose::VerifyResponse::RISK_BAND_MEDIUM) -
Refresh the page and verify the user needs to verify their phone number and a link
Verify with a credit card instead?is shown like in the After screenshot and toggling between credit card and phone number verification is possible. (Note: completing phone and credit card verification locally requires some additional setup).
MR acceptance checklist
This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.
-
I have evaluated the MR acceptance checklist for this MR.