This article explains various mechanisms available to defend single-page applications (SPA) that use Passwordless One-time Passwords (OTP) with SMS from malicious actors who may try to repeatedly send OTPs to known or random phone numbers, resulting in SMS service suspension and severely impacting the level of service offered to users. 

• Passwordless
• One Time Password (OTP)
• Single Page Application (SPA)
• SMS
• Security Risks

The ability to trigger a passwordless OTP sending is an open and accessible public function if the client_id and domain name are known. Currently, this behavior is by design. This means that anyone can trigger an OTP message both from the Login widget or by calling the API directly.

Auth0’s attack protection (Brute Force and Suspicious IP detection) features will be activated only on failed login attempts. For further information, refer to Attack Protection.

Auth0 provides several mechanisms to guard against the impact of SMS attacks by malicious actors.

Endpoint rate-limits

Rate limits are enforced on the /passwordless/start endpoint for each tenant. The current limit is either:

• 50 requests per IP address per hour if using a non-authenticated client (no client secret is included in the request)
• the tenant’s global authentication API rate limits if using an authenticated client ( the client secret is not sent in the request )

The /passwordless/start endpoint has a rate limit of 50 requests per hour per IP address.
In addition, Bot Detection for passwordless connections can be set to "Always On". For further information, refer to Bot Detection - Connection Type Limitations.

To enforce a different behavior than the current default one, submit a feature request via our Customer Feedback page. All requests will be reviewed and prioritized by members of our Product Management team.

Improved responses to SMS pumping attacks

The current Bot Detection model is designed to detect and prevent attacks that often involve failed events, such as Failed Login and Failed Signup attempts. It utilizes predictive capabilities to identify traffic that is likely to fail a Captcha challenge. However, SMS pumping attacks exhibit a distinct pattern with fewer or no instances of failed events.

Work is in progress to build more sophiticated options to manage these types of attacks. As before, customers are encouraged to submit suggestions and concerns via our Customer Feedback page.

Configure a Custom Gateway

As a potential workaround, configuring a custom SMS gateway would allow a filtering mechanism to be implemented (for example, blocking certain IP addresses, user agents, or country codes) on this gateway before issuing the request to the SMS provider. This would help mitigate the SMS provider from the threat of less sophisticated attacks, such as through the use of reused IPs or a non-spoofed user agent.

Adopting this approach would require setting the forward_req_info property in the connection options to true so the gateway could be sent the IP and user agent that was used to initiate the passwordless process. For further information, refer to Setup a Custom SMS Gateway for Passwordless Connection.

New Universal Login with WebAuthn and Biometrics

As an alternative to using SMS, consider adopting the the New Universal Login’s WebAuthn with Biometrics feature to implement a truly  “passwordless” login flow.

NOTE: Access to this feature depends on the level of Auth0 subscription. It currently requires purchasing the Enterprise MFA Factors add-on. For details on feature entitlements and subscription plans, refer to the Pricing policy page.

For further technical information, refer to Fido Authentication with WebAuthn. 

Passkeys

It is possible that the new Passkeys feature might provide an alternative approach in a range of use cases:

Passkeys are a phishing-resistant alternative to traditional authentication factors (such as username/password) that offer an easier and more secure login experience to users. Passkeys are modeled from FIDO® W3C Web Authentication (WebAuthn) and Client to Authenticator Protocol (CTAP) specifications.

For further information, refer to Passkeys and Activate Passkeys 

Related References

• Passwordless Connections
• Passwordless Connections Best Practices
• View Attack Protection Log Events