kratos
kratos copied to clipboard
ory
feat: phone verification via sms code
Added support for verifying phone numbers using verification code strategy and courier SMS support.
Related issue(s)
#2824
Checklist
- [x] I have read the contributing guidelines.
- [ ] I have referenced an issue containing the design document if my change introduces a new feature.
- [x] I am following the contributing code guidelines.
- [x] I have read the security policy.
- [x] I confirm that this pull request does not address a security vulnerability. If this pull request addresses a security vulnerability, I confirm that I got the approval (please contact [email protected]) from the maintainers to push the changes.
- [x] I have added tests that prove my fix is effective or that my feature works.
- [ ] I have added or changed the documentation.
Further Comments
- How should attempts to verify an unknown phone number be handled?
- Should the resend logic be enhanced to prevent abuse of SMS?
- Should recovery be supported via phone?
Our use-case is that we will allow signup/login using either email or mobile number and will verify either/both during our "signup" flow using code strategy. We service markets where customers don't necessarily have an email address.
How should attempts to verify an unknown phone number be handled?
Good question, I don't think we should send an SMS in that case. Maybe we change the labels to explain this:
An SMS will be sent to the phone number you supplied. If the number is unknown, no SMS will be sent. Please check that the number you provided is indeed correct.
Should the resend logic be enhanced to prevent abuse of SMS?
Absolutely, but I don't know how :/ Do you have ideas?
Should recovery be supported via phone?
I don't think we should, given the security profile of SMS.
Is something needed to get this done/merged? :) I would love to see this feature in action.
Except the questions - my suggestion: Let's look at how others handle this and "borrow" the ideas from there. :) Resending should be with a configurable delay. Maybe even max per day?
Recovery via phone is maybe a feature in the future, I think verifying the phone number is a huge plus already, so let's keep the focus on that for this PR.
And regarding the unknown number, I agree with @aeneasr s idea :)
Apologies for not replying sooner - was hoping to have better answers before replying, but alas:
How should attempts to verify an unknown phone number be handled?
Good question, I don't think we should send an SMS in that case. Maybe we change the labels to explain this:
An SMS will be sent to the phone number you supplied. If the number is unknown, no SMS will be sent. Please check that the number you provided is indeed correct.
I agree.
Should the resend logic be enhanced to prevent abuse of SMS?
Absolutely, but I don't know how :/ Do you have ideas?
Effectively the same ideas as @DrBu7cher, see how others handle it, like:
- enforcing a time delay between resends
- configurable max sends per phone number (per day, forever)
Should recovery be supported via phone?
I don't think we should, given the security profile of SMS.
Definitely agree with this.
Effectively the same ideas as @DrBu7cher, see how others handle it, like:
- enforcing a time delay between resends
- configurable max sends per phone number (per day, forever)
@aeneasr these seem like reasonable protections against abuse
Hi All,
Any update on this feature? I really like to have phone verification on user registration.
Beside, I could not find any document for configuration SMS provider.
Thanks, Cong Nga Le
Hi All,
Any update on this feature? I really like to have phone verification on user registration too.
Thanks!
Hi @nrutherford, thank you for the contribution. I was bit late to see this DRAFT PR, so created exactly a similar solution on a private branch to be used. Guess not needed after your PR is merged. Do you have a timeline to this one ?
Agree to the comments made regarding NOT sending SMS to unknown recipients and not using SMS for recovery. Had a same implementation myself.
cc @aeneasr
