无密码 SMS 身份验证 - 令牌过期和安全
[英]Passwordless SMS authentification - Token expiration & Security
问题描述
I am looking to implement a passwordless solution for a mobile app currently in production.
我希望为目前正在生产中的移动应用程序实施无密码解决方案。 The aim is to make the login process smoother for the users by removing the use of a password.目的是通过取消使用密码使用户的登录过程更加顺畅。 Since the app is mobile only and that the phone number of the users is already used as a username I feel like a solution using Twilio to generate an OTP (one-time-password) to login is a good alternative.由于该应用程序仅适用于移动设备,并且用户的电话号码已用作用户名,我觉得使用 Twilio 生成 OTP(一次性密码)登录的解决方案是一个不错的选择。
N.netheless today when a user logs in, the authentication token has no expiration date (he stay logged in forever). N.尽管如此,今天当用户登录时,身份验证令牌没有到期日期(他永远保持登录状态)。 I would like to know if using an OTP to generate such unlimited (or very long lasting) auth token would be considered as a security issue.我想知道使用 OTP 生成这种无限制(或非常持久)的身份验证令牌是否会被视为安全问题。 Is there some best practice to take into consideration like refresh tokens or other...是否有一些最佳实践需要考虑,例如刷新令牌或其他...
To be clear my question is:要明确我的问题是:
Is using OTP with SMS considered as a good practice to stay always logged in to an app?将 OTP 与 SMS 一起使用是否被视为保持始终登录到应用程序的良好做法? And do you see any flaw in my reasoning?你认为我的推理有什么缺陷吗?
Thank you !谢谢 !
1 个解决方案
解决方案1
0 已采纳 2022-04-19 12:39:04
Look https://bere.al/en , Bereal use this system to auth users.看看https://bere.al/en ,Bereal 使用这个系统来授权用户。 We have probleme when you change/lose you sim card.当您更换/丢失 SIM 卡时,我们会遇到问题。 But I don't see any security problem.但我没有看到任何安全问题。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.