Passwordless support for SMS-OTP, Email-OTP, TOTP

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.

http://wso2.github.io/

Apache License 2.0

728 stars 713 forks source link

Passwordless support for SMS-OTP, Email-OTP, TOTP #7897

Open GDRDABARERA opened 4 years ago

GDRDABARERA commented 4 years ago

Many client now request pass-wordless support with email OTP and SMS OTP

With this improvement these authenticators should behave as follows,

If SMS/Email/T OTP is configured as first step, first username should be requested as and send the OTP to the relevant users email or mobile and authenticate the user.
If SMS/Email/T OTP is configured as second or third, this username requesting option should be ignored, the authenticated user should be taken from the context and send the sms/email.

ruwanta commented 4 years ago

This requires an analytics and throttling layer in front of the IS authentication endpoint. Otherwise anyone (mostly malicious user) can initiate the the flow, and fill up the real users email or SMS Inboxes.

Also it can cause the heavy charges incurs on the party running the IS, for sending unwanted mails and SMS.

Hence this requirement needs to be de-prioritized until proper measure of attack mitigation can be done.