Passwordless SMS attack mitigation

Problem Statement

This article covers how to mitigate passwordless SMS attacks.

Cause

Currently (as of August 2022) Auth0’s attack protection (brute force and suspicious IP) features only kick in on failed login attempts.

One protection against a malicious agent spamming the /passwordless/start endpoint is the rate limits in place for the tenant, which will either be 50 requests per IP per hour if using a non-authenticated client (no client secret sent in request) or the tenant’s global authentication API rate limits if using an authenticated client.

In addition, Bot Detection for passwordless connections can be configured.

Solution

Configure Bot Detection to “Always On” for the passwordless connection

Our Bot Detection model is designed to detect and prevent attacks which often involve failed events such as failed login and signup attempts. It utilizes predictive capabilities to identify traffic that is likely to fail a captcha. However, SMS pumping attacks exhibit a distinct pattern with fewer or no instances of failed events. We are actively working on enhancements to our model, such as incorporating anti-IP rotation measures and leveraging user agent-related signals, to improve its effectiveness overall. These improvements will enhance our ability to address this unique threat.

Configure a Custom SMS Gateway

As a potential workaround, configuring a custom SMS gateway would allow putting in place filtering (for example blocking certain IP addresses, user agents, or country codes) on this gateway before issuing the request to the SMS provider, to mitigate the SMS provider being spammed from less sophisticated attacks reusing IPs or a non spoofed user agent for example.

This would require setting the forward_req_info property in the connection options to true so the gateway could be sent the IP and user agent that was used to initiate the passwordless process, as mentioned in the Set Up Custom SMS Gateway for Passwordless Connections documentation.

New Universal Login’s WebAuthn with Biometrics

Alternatively, instead of using SMS utilize the New Universal Login’s WebAuthn with Biometrics feature for a “passwordless” login flow. Note: This will require the user base to use biometrics/security keys. Refer to the Fido Authentication with WebAuthn documentation.

Related References