# Authentication with Phone Number

## Overview

This page contains recommendations for the implementation of the authentication scheme where a phone number and one-time password are used as proof of identity.

## General

<div align="left"><img src="https://1795604890-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaH8j4W1MtabOUlUc8Trn%2Fuploads%2Fgit-blob-b41291c03c4de901e1f0faa235c5ad68838b2947%2Ftype-base-icon.svg?alt=media" alt=""></div>

* Implement the authentication on the server side. In other words, all authentication decisions must be made on the server side.
* Generate an OTP on the server side and send it to a user by their phone number via SMS or push.
* Comply with requirements from the [Authentication: One Time Password (OTP)](https://0xn3va.gitbook.io/application-security-handbook/web-application/authentication/one-time-password-otp) page.
* Return the same error message for an incorrect OTP for an existing and non-existing phone number.
* Require authentication from a user when changing a phone number. A user should enter an OTP for an old phone number and a new one.
* Comply with requirements from the [Error and Exception Handling](https://0xn3va.gitbook.io/application-security-handbook/web-application/error-and-exception-handling) page.
* Log all authentication decisions (successful and not successful), see the [Logging and Monitoring](https://0xn3va.gitbook.io/application-security-handbook/web-application/logging-and-monitoring) page.
  * Successful authentication
  * Failed authentication
  * Successful phone number change
  * Failed phone number change
* Limit the number of attempts to sign in for a certain period, see the [Vulnerability Mitigation: Brute-force](https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/brute-force) page.
* Limit the possibility of resending OTPs. In other words, each subsequent send of an OTP must increase the timeout when the OTP resend is prohibited. The timeout is reset by a successful login to an application. See the [Vulnerability Mitigation: Brute-force](https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/brute-force) page.
* Implement injection protection for login and password arguments, see:
  * [Vulnerability Mitigation: Command injection](https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/command-injection)
  * [Vulnerability Mitigation: SQL injection (SQLi)](https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/sql-injection)
  * [Vulnerability Mitigation: XML External Entity (XXE) Injection](https://0xn3va.gitbook.io/application-security-handbook/web-application/vulnerability-mitigation/xml-external-entity-xxe-injection)
* Comply with requirements from the [Sensitive Data Management](https://0xn3va.gitbook.io/application-security-handbook/web-application/sensitive-data-management) page.
* Enforce multi-factor authentication, see the [Authentication: Multi-factor Authentication](https://0xn3va.gitbook.io/application-security-handbook/web-application/authentication/multi-factor-authentication) page.

<div align="left"><img src="https://1795604890-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FaH8j4W1MtabOUlUc8Trn%2Fuploads%2Fgit-blob-4b891edb8f5a26f439d757f90613f83f54c2107c%2Ftype-advanced-icon.svg?alt=media" alt=""></div>

* Generate an OTP on the client side using a TOTP algorithm, see the [Authentication: One Time Password (OTP)](https://0xn3va.gitbook.io/application-security-handbook/web-application/authentication/one-time-password-otp) page.
* Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.

## References

* [OWASP Cheat Sheet Series: Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#logging-and-monitoring)