Verify identity for additional device registration
Once a user registered a device, they are free to register another device. In case of registering additional devices, identify the user first to prevent attacks.
A user, who registered their first device using an authentication method other than SMS notification, wants to register another device using SMS.
With a basic implementation, an attacker can register their own device using SMS, and associate their number to the user. Thus, an account takeover may happen.
The account takeover vulnerability heavily relies on the implementation on your side.
We recommend you introduce an additional step of verification within your SMS registration flow, to ensure that the requester and the user are the same person.
If the requester can identify themselves as the user with the already registered device, then the registration of the new device is allowed.
Was this page helpful?