SMS as a primary authentication method

[kyrylo]

I am aware of the security considerations that come with this method.

I want to use SMS as my primary authentication method. The flow is that the user signs up by confirming their mobile number via an OTP code. They should be able to sign in using the same mechanism. I don't want to use 2FA, and I don't care about emails in this app. Passwords won't be involved either. I might add extra features in the future, but as of now, they're not needed.

I searched everywhere, and it looks like this is not supported yet. That said, it looks like the critical code is already written because the flow that I need is already supported via sms_codes.

Did I miss something? If this is indeed not supported, how hard would it be to add support for it?
Thank you!

[jeremyevans]

I don't think this is supported by default. It's possible to create an sms_login feature similar to webauthn_login, but it hasn't been done as in general SMS is a poor authentication choice. SMS wasn't great as an MFA option when support was added in 2016, has gotten relatively worse compared to other authentication options over time, and in general should never be used as the sole authentication method for anything important. See https://theconversation.com/how-hackers-can-use-message-mirroring-apps-to-see-all-your-sms-texts-and-bypass-2fa-security-165817 for a discussion of some of the issues with using SMS for authentication.

[jeremyevans]

Apologies, I didn't notice the first paragraph in your post. Hopefully you can look at webauthn_login and get an idea for how to create an sms_login feature.

[kyrylo]

Thank you for the information. 🙇‍♂️
I will check it out.