jspωiki
Passwordless SMS Authentication

Overview#

Passwordless SMS Authentication allows Application Development Teams to provide Authentication without the need to remember a password.

Passwordless SMS Authentication allows users to enter their Mobile Device Phone Number or Email Address and receive a One-Time password (code) or URL, which they can then use to login.

Passwordless SMS Authentication the user is bound to the connection using an Identity Provider (IDP). Since you can't force users to use the same mobile phone number or email address every time they authenticate, users MAY end up with multiple user profiles in the IDP DataStore but you may be able to perform Identity Correlation.

Passwordless differs from Multi-Factor Authentication (MFA) in that only one Authentication Factor is used to authenticate a user—the one-time code or link received by the user.

Passwordless SMS Authentication Benefits#

The benefits of enabling Passwordless SMS Authentications include:

Passwordless SMS Authentication Implementation Issues#

These are the primary Implementation Issues Ldapwiki is aware of:

Passwordless SMS Authentication Privacy Considerations#

Passwordless SMS Authentication supports Privacy Enhancing Technologies and supports Law of Minimal Disclosure For A Constrained Use where the Relying Party Application has no knowledge of the user other than their Mobile Device Phone Number or Email Address

Passwordless SMS Authentication Security Considerations#

The obvious risk here is if someone gains access to the physical Mobile Device and bypasses the phone’s security to read SMS messages.

Some others are paranoid over a possible SIM Swap.

The Interception of the Mobile TAN might be another Risk but generally, not using full Multi-Factor Authentication for Financial transaction is "Silly"

More Information#

There might be more information for this subject on one of the following: