Passwordless SMS plus PIN code

We’re implementing passwordless SMS login for a mobile app. As stated in the Auth0 docs, this single factor is not enough to prove the identity of a user so we want to ask users to create a PIN code on initial sign up. If they ever need to log in again (e.g. they get a new phone) we will do the SMS passwordless flow then immediately ask them for their PIN code. I imagine the PIN will be stored in our own database and the verification handled by our backend, but that’s not a requirement.

My question is around how to model this with Auth0. Auth0 will issue an access token after successfully completing the SMS passwordless flow, yet we can’t treat a user as fully authenticated until they have also provided the PIN code.

Is it possible to treat the access token generated by the passwordless flow as a kind of temporary “valet key” token and then re-issue a new access token with a custom claim only after the PIN has been verified?

1 Like

Hi @tamlynfm,

Can I propose an alternative solution? Instead of a implementing your own PIN code factor, use one of Auth0’s existing MFA factors. This would be an easy to implement, turn-key solution, and would provide more security than the solution you described.

Or another solution: if you would like to have SMS plus a “PIN code” your users must remember, simply use a username/password connection with SMS MFA. This would result in a similar set of credentials, and you can configure the password policy to be as simple or complex as you require.

Otherwise, you will have to build this functionality outside of Auth0. Keep in mind, this code should not be stored in plaintext, and that a non-rotating, simple PIN code could easily be iterated. For example, a 4 digit numeric code has only 10,000 iterations! That’s why we use one-time passwords for MFA.

Hope this helps!

Thanks for your suggestions. I’m interested in how your first solution would work in practice.

Assuming we want to keep “sign in with phone number” as the primary factor (for UX reasons) then the available second factors on Auth0 are:

  • Push notifications: not suitable unless the Guardian app is on a different device
  • SMS notifications: not suitable since phone number is already the first factor
  • Voice notifications: as above
  • One-time passwords: not suitable unless the TOTP app is on a different device
  • WebAuthn with security keys: not suitable as we can’t issue hardware devices
  • WebAuthn with device biometrics: not sure…
  • Email notifications: might work but see below
  • Cisco Duo security: not suitable unless Duo app is on a different device
  • Recovery codes: not great UX

Using email as a second factor would be acceptable but I’m not sure how to implement this as it seems you cannot add an email address to a user on an sms connection. If that is so, how can I trigger email MFA on a passwordless SMS login?