Mobile SMS Verification Login: How It Works and How to Secure It

1. Principle of Mobile SMS Verification Login

Mobile SMS verification login allows users to log in by entering their phone number and a one‑time verification code sent via SMS, eliminating the need to remember passwords and often combining registration and login into a single step.

The client sends a request to the server to generate a code, which is stored in Redis. The server then uses an SMS provider to deliver the code to the user's phone. The user inputs the received code and submits the login request.

Upon receiving the login request, the server validates the phone number and code against the stored value in Redis, checks expiration, and grants access if the verification succeeds.

2. Risks of Mobile SMS Verification Login

2.1 SMS Code Leakage

Attackers may trick users into revealing the verification code, allowing unauthorized access to the victim's account. Users should never share verification codes, and platforms should clearly state the purpose of the code in the SMS and consider additional verification (e.g., facial recognition) when suspicious activity is detected.

2.2 SMS Bombing

Attackers can repeatedly request verification codes for a phone number, flooding the user with SMS messages and incurring high costs for the service provider. Mitigations include adding a CAPTCHA before sending the code and implementing strict rate‑limiting based on device ID, phone number, and IP address (e.g., one request per minute per phone, maximum ten requests per day).

2.3 Replay Attacks

If an attacker captures a legitimate verification request, they can replay it to the server and gain access. Defenses include making each code usable only once, setting a short validity period (e.g., five minutes), and using a random nonce that is invalidated after use. The nonce can be signed with a secret key to prevent tampering.

In summary, while mobile SMS verification login offers convenience, it introduces risks such as code leakage, SMS bombing, and replay attacks. Platform operators should adopt the described countermeasures to safeguard user accounts.