Potential Threat to Passwordless OTP Security

Problem statement

It is intended that a Passwordless OTP user login challenge be used to manage access to an SPA application. All user requests will originate from the same IP address.

Given that the client_id and Domain Name are public, there is a concern that anybody with knowledge of the client_id and Domain Name can make this call. This potentially means that a malicious actor can try to repeatedly send OTPs to known or random phone numbers. This could result in SMS service suspension and severely impact the level of service offered to users.

Cause

The ability to trigger a passwordless OTP sending is an open and accessible public function. Currently, this behavior is by design. This means that anyone can trigger an OTP message both from the Login widget or by calling the API directly.

Furthermore, at the time of this writing (February 2024) Auth0’s attack protection (Brute Force and Suspicious IP detection) features will be activated only on failed login attempts. For further information, refer to Attack Protection.

Solution

Auth0 provides several mechanisms to guard against the impact of SMS attacks by malicious actors.

Endpoint rate-limits

Rate limits are enforced on the /passwordless/start endpoint for each tenant. The current limit is either:

  • 50 requests per IP address per hour if using a non-authenticated client (no client secret is included in the request)
  • the tenant’s global authentication API rate limits if using an authenticated client ( the client secret is not sent in the request )

The /passwordless/start endpoint has a rate limit of 50 requests per hour per IP address.
In addition, Bot Detection for passwordless connections can be set to “Always On”. For further information, refer to Bot Detection - Connection Type Limitations

To enforce a different type of behavior than the current default are encouraged to submit a feature request via our Customer Feedback page. All requests will be reviewed and prioritized by members of our Product Management team.

Improved responses to SMS pumping attacks

The current Bot Detection model is designed to detect and prevent attacks that often involve failed events such as Failed Login and Failed Signup attempts. It utilizes predictive capabilities to identify traffic that is likely to fail a Captcha challenge. However, SMS pumping attacks exhibit a distinct pattern with fewer or no instances of failed events.

Work is in progress to build more sophisticated options to manage these types of attacks. As before, customers are encouraged to submit suggestions and concerns via our Customer Feedback page.

Configure a Custom Gateway

As a potential workaround, configuring a custom SMS gateway would allow a filtering mechanism to be implemented (for example blocking certain IP addresses, user agents, or country codes) on this gateway before issuing the request to the SMS provider. This would help to mitigate the SMS provider from the threat of less sophisticated attacks, such as through the use of reused IPs or a non-spoofed user agent for example.

Adopting this approach would require setting the forward_req_info property in the connection options to true so the gateway could be sent the IP and user agent that was used to initiate the passwordless process. For further information, refer to Setup a Custom SMS Gateway for Passwordless Connection

New Universal Login with WebAuthn and Biometrics

As an alternative to using SMS, consider adopting the New Universal Login’s WebAuthn with Biometrics feature to implement a truly “passwordless” login flow.

NOTE: access to this feature depends on the level of Auth0 subscription. It currently requires the Enterprise MFA Factors add-on to be purchased. For details of feature entitlements and subscription plans, refer to the Pricing policy page.

For further technical information, refer to Fido Authentication with WebAuthn

Passkeys

It is possible that the new Passkeys feature might provide an alternative approach in a range of customer use cases:

Passkeys are a phishing-resistant alternative to traditional authentication factors (such as username/password) that offer an easier and more secure login experience to users. Passkeys are modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications).

For further information, refer to Passkeys and Activate Passkeys

Related References