Security vulnerability: the SMS and Voice methods allow for no-confirmation-required abuse when “registering” phone numbers via the Authenticators Management portal. Just about any similar mechanism by your bank, electric company, Gmail registration, O365 MFA, etc will require you to prove that you own the number you are claiming is your SMS/Text number or phone number – by actually sending you an OTP via SMS/Text or Phone Call -- before allowing you to fully store that SMS/Voice number. Right now, the AA product allows users to type any number they want and the product all too happily just stores it with zero confirmation required. We absolutely need the ability for our users to chose and enter those numbers – but you absolutely must enforce basic due diligence of verifying they own it! Current implementation is flawed as it is ripe for abuse to pseudo-anonymously annoy colleagues you don’t like or could even be used to text/call any 3rd party entity like your local Domino’s Pizza, then opening your company up to potential lawsuits for harassment.

Comments