Authentication with Phone Number

Overview

This page contains recommendations for the implementation of the authentication scheme where a phone number and one-time password are used as proof of identity.

General

Implement the authentication on the server side. In other words, all authentication decisions must be made on the server side.
Generate an OTP on the server side and send it to a user by their phone number via SMS or push.
Comply with requirements from the Authentication: One Time Password (OTP) page.
Return the same error message for an incorrect OTP for an existing and non-existing phone number.
Require authentication from a user when changing a phone number. A user should enter an OTP for an old phone number and a new one.
Comply with requirements from the Error and Exception Handling page.
Log all authentication decisions (successful and not successful), see the Logging and Monitoring page.
- Successful authentication
- Failed authentication
- Successful phone number change
- Failed phone number change
Limit the number of attempts to sign in for a certain period, see the Vulnerability Mitigation: Brute-force page.
Limit the possibility of resending OTPs. In other words, each subsequent send of an OTP must increase the timeout when the OTP resend is prohibited. The timeout is reset by a successful login to an application. See the Vulnerability Mitigation: Brute-force page.
Implement injection protection for login and password arguments, see:
Comply with requirements from the Sensitive Data Management page.
Enforce multi-factor authentication, see the Authentication: Multi-factor Authentication page.

Generate an OTP on the client side using a TOTP algorithm, see the Authentication: One Time Password (OTP) page.
Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.

References

OWASP Cheat Sheet Series: Authentication Cheat Sheet

PreviousAuthentication with Login and Password NextOAuth 2.0 Authentication

Last updated 1 year ago

General

Implement the authentication on the server side. In other words, all authentication decisions must be made on the server side.

Generate an OTP on the server side and send it to a user by their phone number via SMS or push.

Comply with requirements from the Authentication: One Time Password (OTP) page.

Return the same error message for an incorrect OTP for an existing and non-existing phone number.

Require authentication from a user when changing a phone number. A user should enter an OTP for an old phone number and a new one.

Comply with requirements from the Error and Exception Handling page.

Log all authentication decisions (successful and not successful), see the Logging and Monitoring page.

Successful authentication
Failed authentication
Successful phone number change
Failed phone number change

Limit the number of attempts to sign in for a certain period, see the Vulnerability Mitigation: Brute-force page.

Limit the possibility of resending OTPs. In other words, each subsequent send of an OTP must increase the timeout when the OTP resend is prohibited. The timeout is reset by a successful login to an application. See the Vulnerability Mitigation: Brute-force page.

Implement injection protection for login and password arguments, see:

Comply with requirements from the Sensitive Data Management page.

Enforce multi-factor authentication, see the Authentication: Multi-factor Authentication page.

Generate an OTP on the client side using a TOTP algorithm, see the Authentication: One Time Password (OTP) page.

Notify a user via an available communication channel (email, push, SMS, etc.) about successful login under their account from an unknown location, browser, client, etc.