> For the complete documentation index, see [llms.txt](https://0xn3va.gitbook.io/application-security-handbook/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xn3va.gitbook.io/application-security-handbook/web-application/authentication/authentication-with-phone-number.md).

# Authentication with Phone Number

## Overview

This page contains recommendations for the implementation of the authentication scheme where a phone number and one-time password are used as proof of identity.

## General

<div align="left"><img src="/files/QJuMWI21M60ZKzo0mFAN" alt=""></div>

* Implement the authentication on the server side. In other words, all authentication decisions must be made on the server side.
* Generate an OTP on the server side and send it to a user by their phone number via SMS or push.
* Comply with requirements from the [Authentication: One Time Password (OTP)](/application-security-handbook/web-application/authentication/one-time-password-otp.md) page.
* Return the same error message for an incorrect OTP for an existing and non-existing phone number.
* Require authentication from a user when changing a phone number. A user should enter an OTP for an old phone number and a new one.
* Comply with requirements from the [Error and Exception Handling](/application-security-handbook/web-application/error-and-exception-handling.md) page.
* Log all authentication decisions (successful and not successful), see the [Logging and Monitoring](/application-security-handbook/web-application/logging-and-monitoring.md) page.
  * Successful authentication
  * Failed authentication
  * Successful phone number change
  * Failed phone number change
* Limit the number of attempts to sign in for a certain period, see the [Vulnerability Mitigation: Brute-force](/application-security-handbook/web-application/vulnerability-mitigation/brute-force.md) page.
* Limit the possibility of resending OTPs. In other words, each subsequent send of an OTP must increase the timeout when the OTP resend is prohibited. The timeout is reset by a successful login to an application. See the [Vulnerability Mitigation: Brute-force](/application-security-handbook/web-application/vulnerability-mitigation/brute-force.md) page.
* Implement injection protection for login and password arguments, see:
  * [Vulnerability Mitigation: Command injection](/application-security-handbook/web-application/vulnerability-mitigation/command-injection.md)
  * [Vulnerability Mitigation: SQL injection (SQLi)](/application-security-handbook/web-application/vulnerability-mitigation/sql-injection.md)
  * [Vulnerability Mitigation: XML External Entity (XXE) Injection](/application-security-handbook/web-application/vulnerability-mitigation/xml-external-entity-xxe-injection.md)
* Comply with requirements from the [Sensitive Data Management](/application-security-handbook/web-application/sensitive-data-management.md) page.
* Enforce multi-factor authentication, see the [Authentication: Multi-factor Authentication](/application-security-handbook/web-application/authentication/multi-factor-authentication.md) page.

<div align="left"><img src="/files/P0T6i9QsRZT0gGQKpPIC" alt=""></div>

* Generate an OTP on the client side using a TOTP algorithm, see the [Authentication: One Time Password (OTP)](/application-security-handbook/web-application/authentication/one-time-password-otp.md) page.
* Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.

## References

* [OWASP Cheat Sheet Series: Authentication Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Authentication_Cheat_Sheet.html#logging-and-monitoring)


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://0xn3va.gitbook.io/application-security-handbook/web-application/authentication/authentication-with-phone-number.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
