An empirical study of SMS one-time password authentication in Android apps

“…Also, during Step 5, the generated OTP needs to be compared against the one provided by the app. These security properties have been previously studied and discussed [51] and found to be violated in some apps' implementations [45].…”

“…Specifically, AUTH-EYE [45] shows that, in many cases, the SMS OTP is generated incorrectly (e.g., insufficient OTP randomness or insufficient OTP length), or that the OTP code is incorrectly verified (e.g., too many allowed retry attempts or too long renewal interval). Our work is complementary to AUTH-EYE.…”

“…SMS-based authentication issues. Previous studies have identified a set of implementation issues [10], [45], which can result in a vulnerable SMS-based authentication scheme. For example, whether the OTP code generated with less entropy or with longer expiration time.…”

“…Another line of research focused on better understanding the real-world security implications of SMS OTP authentication issues [23], [35], [45], [63]. Specifically, AUTH-EYE [45] proposed a fully automated approach to identify and detect the implementation flaws of apps using the SMS OTP authentication scheme on a large scale. Their analysis focuses on whether the SMS OTP code is securely generated (e.g., the OTP randomness, length) and verified (e.g., allowed retry attempts, renewal interval).…”

“…Moreover, it is known that state-level attackers can intercept SMS OTP messages, by interfering with local telecom companies [59]. Most recently, a study [45] has shown that many Android apps insecurely implement the generation and verification of SMS OTPs, used in their authentication protocols. For example, some apps generate SMS OTPs with insufficient randomness or insufficient length.…”

On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

“…Also, during Step 5, the generated OTP needs to be compared against the one provided by the app. These security properties have been previously studied and discussed [51] and found to be violated in some apps' implementations [45].…”

“…Specifically, AUTH-EYE [45] shows that, in many cases, the SMS OTP is generated incorrectly (e.g., insufficient OTP randomness or insufficient OTP length), or that the OTP code is incorrectly verified (e.g., too many allowed retry attempts or too long renewal interval). Our work is complementary to AUTH-EYE.…”

“…SMS-based authentication issues. Previous studies have identified a set of implementation issues [10], [45], which can result in a vulnerable SMS-based authentication scheme. For example, whether the OTP code generated with less entropy or with longer expiration time.…”

“…Another line of research focused on better understanding the real-world security implications of SMS OTP authentication issues [23], [35], [45], [63]. Specifically, AUTH-EYE [45] proposed a fully automated approach to identify and detect the implementation flaws of apps using the SMS OTP authentication scheme on a large scale. Their analysis focuses on whether the SMS OTP code is securely generated (e.g., the OTP randomness, length) and verified (e.g., allowed retry attempts, renewal interval).…”

“…Moreover, it is known that state-level attackers can intercept SMS OTP messages, by interfering with local telecom companies [59]. Most recently, a study [45] has shown that many Android apps insecurely implement the generation and verification of SMS OTPs, used in their authentication protocols. For example, some apps generate SMS OTPs with insufficient randomness or insufficient length.…”

On the Insecurity of SMS One-Time Password Messages against Local Attackers in Modern Mobile Devices

You’ve Got (a Reset) Mail: A Security Analysis of Email-Based Password Reset Procedures

Real-Time Eye Blinking for Password Authentication