SMS verification
17.2.3.6.1.1. Example: SMS verification
83105359.png

Create a "User Self Registration REST Config" in Loginapp >> REST Settings >> User Provisioning Settings >> Self Registration Configuration with the following settings:

  • 1.
    "Enable Stealth Mode" is active.
  • 2.
    "Alias Attribute Names" has a single entry with the value "mtan_number".
  • 3.
    "User Context Data Item List" has an element of any type of "Self Reg User Context Data Item Config" (e.g. "International Phone Number User Context Data Item") where the "Context Data Field" has the value "mtan_number". The "Context Data Item List" may contain additional "Self Reg User Context Data Item Config" entries, each of which must have a "Context Data Field" that is different from "mtan_number". The uniqueness check enforces that neither the provided "username" nor the "mtan_number" conflicts with a value from the union of the columns "username" and "mtan_number" of existing users.
  • 4.
    As "Channel Verification" a plugin of type "SMS Verification" is used. The "Phone Number Property" of the "SMS Verification" is "mtan_number".
  • 5.
    An "Id Pattern Self Registration Validator" with a pattern that does not match any valid phone number (e.g. any pattern that only allows letters and disallows digits) is configured as "Self Registration Validator".

This configuration prevents an honest user or a potential attacker from learning whether there already exists a user record with a given phone number as "mtan_number" unless he has (at least temporarily) access to the given phone number.

Note that it is essential that registration requests with phone numbers as usernames are invalid. If no "Id Pattern Self Registration Validator" were used, an attacker would be able to send a registration request with a phone number that he owns and that has not been registered yet as "mtan_number" and with any other phone number as username. By observing whether the registration request triggers a channel verification message to the phone number he owns, he could now learn whether a user record with the other phone number exists or not.