Using SMS passwordless login on recycled mobile numbers

I am considering using SMS passwordless login, as I see this used in multiple apps and like the convenience.

What happens if my app gets a user account for their SMS phone number and this phone number is recycled to a new person? If someone new logs into my app with the same phone number, are they going to see all of the account details from the previous user? I assume so.

Are there any best practices to follow here to avoid a potential personal information nightmare?

1 Like

Hi @woz,

Welcome to the Auth0 Community!

Generally, SMS alone isn’t recommended for user authentication. We suggest protecting your users by requiring MFA on SMS passwordless accounts. This would reduce risk of intentional account takeover or inadvertent account takeover (due to recycled numbers).

Further reading: Passwordless Connections Best Practices

Hope that helps!

Thanks, Dan.

That article says:

For these reasons, we recommend that if you use passwordless authentication, you also implement Multi-factor Authentication (MFA) with a different factor when the user performs a security-sensitive operation.

We are not doing anything financial, so we don’t have a need for a “super secure” security-sensitive operation. If we detect a new account on this device, is that a fair time to require the additional MFA say by email? Then the mobile app can force the second MFA when a new account is logged in under this device.

I welcome any feedback or suggestions!

1 Like

I meant to say when the mobile app detects that a new mobile phone number was used to log in on this device.

You have a few options. You could turn on MFA for every login, this would ensure that any login is happening from a user who has access to the phone number AND the second factor.

Otherwise you could come up with a custom policy using actions, here is an example of enforcing custom MFA policy.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.