search

OWASP / owasp-mastg

The Mobile Application Security Testing Guide (MASTG) is a comprehensive manual for mobile app security testing and reverse engineering. It describes the technical processes for verifying the controls listed in the OWASP Mobile Application Security Verification Standard (MASVS).
https://mas.owasp.org/
Creative Commons Attribution Share Alike 4.0 International
11.46k stars 2.26k forks source link

[SMS 2FA] - Enhance SMS-delivered code security with domain-bound codes #1991

Open cpholguera opened 2 years ago

cpholguera commented 2 years ago

By including the URL of the intended website within the SMS, it would mean websites and apps could automatically detect and read a 2FA SMS message, inputting the data. This would certainly be more convenient than remembering and then typing the keycode in. However, more importantly, by ensuring the code would only work with a specific, intended website, the plan could eliminate the risk of falling for a scam, whereby a user might unwittingly enter their 2FA code into a phishing site.

From the Spec by Google and Apple:

  1. Security considerations

This specification attempts to mitigate the phishing risk associated with the delivery of one-time codes over SMS by enabling User Agents to know what website the one-time code is intended for.

This specification does not attempt to mitigate other risks associated with the delivery of one-time codes over SMS, such as SMS spoofing, SIM swapping, SIM cloning, ISMI-catchers, or interception of the message by an untrusted party.

Sites would do well to consider using non-SMS technologies such as [WEBAUTHN] for authentication or verification.

  1. Privacy considerations

Any party which has access to a user’s SMS messages (such as the user’s cellular carrier, mobile operating system, or anyone who intercepted the message) can learn that the user has an account on the service identified in an origin-bound one-time code message delivered over SMS.

On some platforms, User Agents might need access to all incoming SMS messages—even messages which are not origin-bound one-time code messages—in order to support the autofilling of origin-bound one-time codes delivered over SMS in origin-bound one-time code messages.

wwwhackcom commented 1 year ago

Hi @cpholguera and @sushi2k, I have been following this Enhance SMS domain-bound OTP and WebOTP recently, what do you reckon the next trend is for OTP, or maybe WEBAUTHN? Would be great if can shed some light on this topic. On top of that, what's your next step for this issue? Cheers, Nick

cpholguera commented 1 year ago

Hi @wwwhackcom, sorry for the late reply. We've been extremely busy due to the MASVS refactoring.

What we'd like to do here is to write a little test case to test for this but considering the app side only. What can go wrong?

Do you think you can help us drafting something? That'd be very helpful! Thank you!