Open GDRDABARERA opened 4 years ago
This requires an analytics and throttling layer in front of the IS authentication endpoint. Otherwise anyone (mostly malicious user) can initiate the the flow, and fill up the real users email or SMS Inboxes.
Also it can cause the heavy charges incurs on the party running the IS, for sending unwanted mails and SMS.
Hence this requirement needs to be de-prioritized until proper measure of attack mitigation can be done.
Many client now request pass-wordless support with email OTP and SMS OTP
With this improvement these authenticators should behave as follows,
If SMS/Email/T OTP is configured as first step, first username should be requested as and send the OTP to the relevant users email or mobile and authenticate the user.
If SMS/Email/T OTP is configured as second or third, this username requesting option should be ignored, the authenticated user should be taken from the context and send the sms/email.