logo

Database

Authentication mechanism absence or evasion - OTP

Need

Implementation of a secure and validated OTP (One-Time Password) authentication mechanism

Context

• Usage of Swift for iOS and macOS app development

• Usage of UIKit for building modern and responsive user interfaces

Description

1. Non compliant code

import UIKit

class RegisterViewController: UIViewController {

    @IBOutlet weak var phoneNumberTextField: UITextField!
    @IBOutlet weak var verificationCodeTextField: UITextField!
    
        let phoneNumber = phoneNumberTextField.text...

In the above code, we have a `RegisterViewController` where the user inputs their phone number and a verification code that they received via SMS. When the register button is clicked, the `registerButtonTapped` function is called. The problem here is that we are not verifying the OTP (One-Time Password) at all. We are just taking the input from the `verificationCodeTextField` and creating a new user with it. This means that a user can input any value in the `verificationCodeTextField` and still be able to register. This is a big security flaw as it allows anyone to register with any phone number without needing to verify it. Even worse, the code does not check if the verification code is 6 digits long, which is the standard length for OTPs. This means that a user can input a code of any length and it will still be accepted. This makes it even easier for an attacker to guess a valid code, as they do not need to guess 6 specific digits.

2. Steps

• Implement a proper OTP verification mechanism during the registration process.

• Generate a random 6-digit verification code and send it to the user's associated cellular number.

• Validate the entered verification code against the generated code to ensure it matches.

• Ensure that the verification code has the specified number of digits (6 digits in this case).

• Reject the registration if the verification code is not valid or does not match the generated code.

3. Secure code example

import UIKit

class RegisterViewController: UIViewController {

    @IBOutlet weak var phoneNumberTextField: UITextField!
    @IBOutlet weak var verificationCodeTextField: UITextField!
    
    ...

The updated code now includes a proper OTP verification mechanism during the registration process. When the `RegisterViewController` is loaded, a random 6-digit verification code is generated and sent to the user's associated cellular number. When the user taps the register button, the entered verification code is validated against the generated code to ensure it matches. If the verification code is not valid or does not match the generated code, an error message is shown and the registration process is halted. If the verification code is valid and matches the generated code, a new user is created with the verified phone number and saved to the database. The user is then navigated to the next screen. This way, the vulnerability of the authentication mechanism absence or evasion is fixed.