Why authenticate your cell phone number via text in the register?

Question

Why authenticate your cell phone number via text in the register?

Asked 5 years, 1 month ago

Viewed 165 times

4

I am developing an android app, early on I come across the following question about security.

Why authenticate by SMS?

It brings extra security?

Why not just check the number present on the cell phone?

I was looking for authentication of the phone number informed at the time of registration, because most major applications use this method, sending SMS with the code.

To send an SMS, I need a server and pay for it right? And then I can check and the code arrived using the SMS Retriever API

To check the mobile number via app, I can also use

TelephonyManager tm = (TelephonyManager) getSystemService(TELEPHONY_SERVICE);
String numero = tm.getLine1Number();

What benefits do I get if I perform with the primera instead of the second? Are there any flaws in any of them?

You intend to use only 1 of these two methods for authentication?

– Murillo Comino

2019/05/26 at 20:34
That, but, if it would be effective. Because if you use the sms, you would have an additional expense, the question is the cost benefit. Just read the number, does it have a fault? because most apps send the code?

– LocalHost

2019/05/26 at 20:46
If you have physical access to a decent server, you can install a GSM modem on it and send the SMS directly through a chip of yours. The fact is that when you send an SMS, only the real owner of the number will receive the code, in principle, not depending on the data of the device.

– Bacco

2019/05/26 at 20:57

3 answers

Browser other questions tagged java android sms

You are not signed in. Login or sign up in order to post.

by Murillo Comino • **1,133** points · Answer 1 · 2019-05-26T22:00:57+00:00

Hello, this issue can cause divergences in the answers, since there are those who think that sending sms to authenticate does not have security, others think it is safe.

To recover the phone number by this method:

TelephonyManager tm = (TelephonyManager) getSystemService(TELEPHONY_SERVICE);
String numero = tm.getLine1Number();

can return an empty, null string, "????????" or if the user changes the number, it can still return the old number. Then I do not advise to use it, maybe you can use another method to recover the IMEI and so do the authentication, but what if the user changes device? How will he manage to authenticate?

Since I do not have a guaranteed way to recover the phone number of the user, SMS is used, the user informs his phone, is sent a text to him with a token, and for this token he authenticates his number, Now goes some questions: And if the user changes their number, you will need another method of authentication. Another situation, a user with the mobile phone number X does the authentication once, and you save it in the database so that it doesn’t need to authenticate all the time, this user changes number then another user registers in his application, and he acquired the mobile number X, that was of the other user, how would this situation?

Perhaps one of the best solutions for this in terms of cost and benefit is to use the Authenticator by sms with Firebase, Google Login Authenticator with Firebase or even use Account Kit Facebook

by nullptr • **3,925** points · Answer 2 · 2019-05-26T23:50:52+00:00

Why authenticate by SMS?

Because SMS is one of the standard methods of authentication, documented in RFC 8176.

Brings a little extra security?

Yes, this involves another authentication factor in your application (I recommend reading on MFA - Multiple Factor Authentication).

Currently it is of utmost importance to involve more than one authentication factor to perform operations depending on the business. But why the importance of that?

Think about the following situation: You have an application that works with money (financial transactions, subscriptions, etc...), the form of authentication is a simple password. If by chance some user’s password is compromised, it is of utmost importance to perform damage control. And how do we do this?

There is a big difference between letting all operations of the platform free, or requesting a confirmation token through another channel to check if the user actually authorizes the operation (a withdrawal operation for example). If the attacker does not have access to the channel in which the token was sent, the operation cannot be realized.

SMS is one of the methods, in RFC that I mentioned there are several others (OTP, user connection, physical token, etc...). Using SMS for example, the attacker should also have access to the victim’s number (by cloning or intercepting the communication in some way) to enter the correct token and complete the transfer operation for example.

Why not just check the number present on the cell phone?

I believe is not a very effective way, and you could emulate the behavior of the phone using any number (example, I do not know how it does this but it should be possible, after all everything is possible :) ).

The key point is to always involve one more confirmation/authentication factor, whether the validation will be automatic or not is a team decision regarding pros, cons and complexity.

by Oscar • 1 point · Answer 3 · 2021-01-22T18:44:49+00:00

The cell phone number obtained does not contain the DDD, it is possible to obtain the code of the country(br) and get the DDI. However, the user can provide the changed DDD. If there is no way to verify the CEP of his address. (Very rarely will be far away, in this case the location can help via latitude and longitude, but you will not always be making the registration in your state of residence. Some countries neither by zip code nor by location can know the exact area code. As long as there’s a possibility that someone might cheat on you in some way,.