6

Twitter Digits (https://get.fabric.io/digits) provides an authentication/login system based on phone numbers for mobile apps, and several other mobile apps (e.g. Square Cash, https://squareup.com/help/us/en/article/5187-about-square-cash) has the same feature.

The problem with this type of authentication is that, what happens when some existing users change and abandon their phone number, and their old numbers get assigned to others (who may or may not be an user of the app)?

This poses a security risk, because whoever owns a phone number registered in the system at the time will have access to the account of the former owner(s) of that number as an user of the app. And it doesn't seem that Digits (or any provider of such authentication method) solves this problem, because they does not and likely cannot verify that if the current owner of a phone number is indeed the same person who register with an app using the same number in the first place.

At the same time, the fact that a money-transferring app (Square Cash) is using the same method makes me think if there is some reliable technique that may well solve the problem.

Any guess?

MLister
  • 171
  • 1
  • 4
  • Lyft does the same thing as well. I don't know of any apps out there with a similar architecture that has a solution to this problem. Use email or facebook credentials instead of phone numbers. Lyft problem link: https://news.ycombinator.com/item?id=9354963 – limbenjamin May 03 '15 at 03:29
  • (I'm not familiar with their services, but this is what I think:) It seems that in this case, the account-login-security its delegated to the user. Before the user changes phone number they need to update it. I agree that its a security problem. Perhaps an extra "password" layer could be used to prevent anyone with your old phone number to have instant access to your account. – lepe Jul 17 '15 at 01:32
  • To be fair number recycling only happens after the mobile phones had at least a year of inactivity. It should also be possible to detect if the phone number has changed on the phone and see if it matches the one held in your account. – niallhaslam Sep 08 '15 at 09:47
  • @niallhaslam, I may miss something here: 1. If an user's explicitly changes her number (e.g. by switch to a different provider), then shouldn't her old number be available sooner than 1 year? 2. last time I checked it didn't seem like that you can programmatically retrieve current phone's number from an app due to security/privacy restriction. – MLister Sep 10 '15 at 05:05
  • It should be possible to fetch the phone number: http://stackoverflow.com/questions/5948446/to-get-phone-number-programatically-in-android And the number rotation rate would obviously vary on a per-carrier basis however a year is probably about right. – niallhaslam Sep 10 '15 at 09:39

1 Answers1

2

Yes if the login is only based on a phone number, the new possessor of a mobile number can install the app and access the account of the old owner of that phone number.

The solution would be to add a step for entry of password/secret key (information that the user only knows)

Also the user should be able to migrate to a new phone number by using the secret key.

Digits has implemented above two changes: - http://get.digits.com/blog/launching-voice-verification-and-change-phone-number - https://www.digits.com/settings

One problem still remains. The old owner of the phone number can login into Digits.com and either migrate to a new number or deactivate his account.

When he deactivates, the phone number must be released so that new owners of the phone number (or the same user if he continues to own the number) can register using it. But what if user did not deactive his number? The number would be blocked for new owner of the number for using in the app

Shashank
  • 21
  • 2