Overview#

Passwordless SMS Authentication allows Application Development Teams to provide Authentication without the need to remember a password.

Passwordless SMS Authentication allows users to enter their Mobile Device Phone Number or Email Address and receive a One-Time password (code) or URL, which they can then use to login.

Passwordless SMS Authentication the user is bound to the connection using an Identity Provider (IDP). Since you can't force users to use the same mobile phone number or email address every time they authenticate, users MAY end up with multiple user profiles in the IDP DataStore but you may be able to perform Identity Correlation.

Passwordless differs from Multi-Factor Authentication (MFA) in that only one Authentication Factor is used to authenticate a user—the one-time code or link received by the user.

Passwordless SMS Authentication Benefits#

The benefits of enabling Passwordless SMS Authentications include:

• Improved User Experience, particularly on mobile applications, because users only need an Email Address or mobile Phone Number to Registration, and the credential used for authentication is automatically validated after sign-up.
• Enhanced security because users avoid Password Reuse
• Less effort for you because you will not need to implement a Password Recovery procedure.

Passwordless SMS Authentication Implementation Issues#

These are the primary Implementation Issues Ldapwiki is aware of:

• infrastructure. Implementation need to use a Cloud Service Provider or Third-party service to manage the SMS with Mobile Network Operators. Auth0, Twilio, okta, and AWS Cognito are just a few Service Providers to get started.
• the additional cost of SMS, especially global SMS and variable pricing. Even though these are one-time passcodes, the cost per SMS message is more expensive than the FREE options of federating Social Identity Providers.
• app will most likely be running on Mobile Devices that do not have a Phone Number or cellular plan such as an iPad Wi-Fi edition. In this case, the user would need to have their Mobile Device nearby when they wanted to authenticate on a non-cellular device. Most of the time this is not a problem, however, in some families, children have a wifi iPad and no mobile SMS capable Mobile Device. So, in this case, the developer would need to offer additional Authentication Factors such as a basic username/password. Not too radical but does add an additional barrier and this is why most mobile developers will offer several ways for users to authenticate.

Passwordless SMS Authentication Privacy Considerations#

Passwordless SMS Authentication supports Privacy Enhancing Technologies and supports Law of Minimal Disclosure For A Constrained Use where the Relying Party Application has no knowledge of the user other than their Mobile Device Phone Number or Email Address

Passwordless SMS Authentication Security Considerations#

The obvious risk here is if someone gains access to the physical Mobile Device and bypasses the phone’s security to read SMS messages.

Some others are paranoid over a possible SIM Swap.

The Interception of the Mobile TAN might be another Risk but generally, not using full Multi-Factor Authentication for Financial transaction is "Silly"

More Information#

There might be more information for this subject on one of the following:

• Password Authentication

---

• [#1] - Passwordless Connections - based on information obtained 2019-10-14
• [#2] - Passwordless SMS Authentication: The Basics - based on information obtained 2019-10-14
• [#2] - Passwordless SMS Authentication: Backend - based on information obtained 2019-10-14