Home > Back-end >  Passwordless SMS authentification - Token expiration & Security
Passwordless SMS authentification - Token expiration & Security

Time:04-20

I am looking to implement a passwordless solution for a mobile app currently in production. The aim is to make the login process smoother for the users by removing the use of a password. Since the app is mobile only and that the phone number of the users is already used as a username I feel like a solution using Twilio to generate an OTP (one-time-password) to login is a good alternative.

Nonetheless today when a user logs in, the authentication token has no expiration date (he stay logged in forever). I would like to know if using an OTP to generate such unlimited (or very long lasting) auth token would be considered as a security issue. Is there some best practice to take into consideration like refresh tokens or other ...

To be clear my question is:

Is using OTP with SMS considered as a good practice to stay always logged in to an app ? And do you see any flaw in my reasoning ?

Thank you !

CodePudding user response:

Look https://bere.al/en , Bereal use this system to auth users. We have probleme when you change/lose you sim card. But I don't see any security problem.

  • Related