👨‍💻
Application Security Handbook
  • Application Security Handbook
  • Web Application
    • Authentication
      • Authentication with Login and Password
      • Authentication with Phone Number
      • OAuth 2.0 Authentication
      • Multi-factor Authentication
      • Default Passwords
      • Password Change
      • Password Policy
      • Password Reset
      • Password Storage
      • One Time Password (OTP)
      • Email Address Confirmation
    • Authorization
    • Concept of Trusted Devices
    • Content Security Policy (CSP)
    • Cookie Security
    • Cryptography
      • Cryptographic Keys Management
      • Encryption
      • Hash-based Message Authentication Code (HMAC)
      • Hashing
      • Random Generators
      • Universal Unique Identifier (UUID)
    • Error and Exception Handling
    • File Upload
    • Input Validation
    • JSON Web Token (JWT)
    • Logging and Monitoring
    • Output Encoding
    • Regular Expressions
    • Sensitive Data Management
    • Session Management
    • Transport Layer Protection
    • Vulnerability Mitigation
      • Brute-force
      • Command Injection
      • Cross-Site Request Forgery (CSRF)
      • Cross-Site Scripting (XSS)
      • Mass Parameter Assignment
      • Parameter Pollution
      • Path Traversal
      • Regular Expression Denial of Service (ReDoS)
      • SQL Injection (SQLi)
      • XML External Entity (XXE) Injection
Powered by GitBook
On this page
  • Overview
  • General
  • References
  1. Web Application
  2. Authentication

Authentication with Phone Number

PreviousAuthentication with Login and PasswordNextOAuth 2.0 Authentication

Last updated 1 year ago

Overview

This page contains recommendations for the implementation of the authentication scheme where a phone number and one-time password are used as proof of identity.

General

  • Implement the authentication on the server side. In other words, all authentication decisions must be made on the server side.

  • Generate an OTP on the server side and send it to a user by their phone number via SMS or push.

  • Return the same error message for an incorrect OTP for an existing and non-existing phone number.

  • Require authentication from a user when changing a phone number. A user should enter an OTP for an old phone number and a new one.

    • Successful authentication

    • Failed authentication

    • Successful phone number change

    • Failed phone number change

  • Implement injection protection for login and password arguments, see:

  • Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.

References

Comply with requirements from the page.

Comply with requirements from the page.

Log all authentication decisions (successful and not successful), see the page.

Limit the number of attempts to sign in for a certain period, see the page.

Limit the possibility of resending OTPs. In other words, each subsequent send of an OTP must increase the timeout when the OTP resend is prohibited. The timeout is reset by a successful login to an application. See the page.

Comply with requirements from the page.

Enforce multi-factor authentication, see the page.

Generate an OTP on the client side using a TOTP algorithm, see the page.

Authentication: One Time Password (OTP)
Error and Exception Handling
Logging and Monitoring
Vulnerability Mitigation: Brute-force
Vulnerability Mitigation: Brute-force
Vulnerability Mitigation: Command injection
Vulnerability Mitigation: SQL injection (SQLi)
Vulnerability Mitigation: XML External Entity (XXE) Injection
Sensitive Data Management
Authentication: Multi-factor Authentication
Authentication: One Time Password (OTP)
OWASP Cheat Sheet Series: Authentication Cheat Sheet