Wire SMS activation code does not change. #679
Comments
|
Just so you know, they're aware of it: https://twitter.com/gillo/status/709313322672398336 |
|
Thanks @someoneEsle. For the record, they say
but I don't see the reason for this and seems a bad idea to me. It's easy to peek into one's past SMS messages, read the activation code and re-register with the same phone number on another device. Moreover, phone companies can (and do) log SMS messages, so an easy way to hijack a Wire account is available to whoever has access to those logs. |
|
True, I'm pretty sure they're aware of the implications and it's a matter of time before they fix it. By the way you get an email and a notification every time someone registers a new device, but your point still makes sense. |
|
Is this issue still relevant? |
|
Hi everyone, |
|
Heyo, this is working as intended (which of course doesn't mean that it's correct :-). Off the top of my head (I only remember we discussed this internally, but I'm hazy about the details): the code is only re-used if you use the same email / phone number within the life time of the old code. If you would get a different code each time you ask, the following could happen: user requests code, waits for email, requests code again, first email arrives, user uses first code, but second code is expected. I guess you could fix that by accepting both codes for a while. But why? Since you are saying it's obvious: what is the attack scenario here? |
|
Sounds to me like it is a fairly good trade between security and accessibility to me. I’ve wrestled with SMS tokens and have come to a similar conclusion based on the population of users. Wire users could be more sophisticated, necessitating moving the slider more towards security. |
|
Current TTL on codes is 24 hours. So this only happens if you register, delete, and register again, all within 24 hours. Deleting your account and re-registering using the same phone number will still create a fresh account. Any previous devices, connections and conversations you had are no longer available on that new account. There is actually one very slight improvement we could make here (helping to avoid confusion leading to issues like this one): actively remove the codes on user deletion. Currently, we don't actively remove the code but wait for the TTL to expire (which takes 24h from the time of the first initial registration - so this is an edge case for users who very shortly delete their accounts after having created them). |
|
@fisx isn't it possible that, for instance, Alice registers, receives the code C, Bob peeks the code (either on the Alice's device or being employed in Alice's TSP) and send "forgot password" request using the C in these 24 hours? Indeed, re-using the codes improve user experience a little bit, but only for certain scenarios of impatient users. I think, these days most people are used to verification email and realize that only last one usually works. Also, the possibility to confuse codes could be eliminated by attaching labels to the code: when a user requests a verification code, we display label L and send (C, L) to the user. If the user requests verification again, we display label L' and send (C',L'). Now, the user can't confuse and pass the code C because labels L and L' don't match. This way it is implemented in several banking apps I used. |
|
@kirillt , my apologies for the delayed nature of our response. As SMS security has continued to be an issue in general across the industry, Wire has decided to no longer use SMS codes for login, or to allow the use of phone numbers for login. This has been removed in many of our clients already. Unless you have any further questions, we will close this issue. Thank you for using Wire! |
If I register to wire, delete my account, and then register again, the activation code I receive via SMS is always the same. It is expected to be random for obvious security reasons.
The text was updated successfully, but these errors were encountered: