Passwordless SMS attack mitigation

Problem Statement

We experienced an attack on our passwordless SMS connection. Attack protection not stopping spammed /passwordless/start calls. Is there a solution or workaround for this issue.

Cause

Starting August 2022, Auth0’s attack protection (brute force and suspicious IP) features only kick in on failed login attempts. Bot detection does not support passwordless connections either.

The only protection against a malicious agent spamming the /passwordless/start endpoint is the rate limits in place for the tenant. It will either be 50 requests per IP per hour if using a non-authenticated client (no client secret sent in request) or the tenant’s global authentication API rate limits if using an authenticated client.

Solution

As a potential workaround, configuring a custom SMS gateway would allow you to put in place your own filtering, for example, blocking certain IP addresses and user agents or country codes, on this gateway before issuing the request to your SMS provider.

This workaround will mitigate your SMS provider being spammed from less sophisticated attacks, such as, reusing IPs or a non spoofed user agent.

This workaround would require setting the “forward_req_info” property in the connection options to true so that the gateway will also receive information from the HTTP request that initiated the Passwordless process. This includes the IP address of the client calling /passwordless/start and its User Agent.

Alternatively, you could move away from using SMS all together and utilize the New Universal Login’s WebAuthn with Biometrics feature for a “passwordless” login flow.