User controlled phonenumbers, I don't get it.

[lurendrejer]

Hi.

I'm looking into this plugin for 2fa OTP (obviously)
We have implemented security to avoid users having the ability to change their mobile-number in Active Directory (LDAP). This is done by moving the number to a LDAP-property that MSExchange cannot write to.

A users mobile-number can be changed via Microsoft Exchange by the user, which is a complete blunder in my eyes (exchange doesn't support 2FA) - so, an attacker could change the number, via Exchange Webmail (via username+password) and after that, have SMS-based OTP access.

I would really love to understand why user-managed mobile numbers (which I think, from reading here, is what this addon uses) can be secure. The second factor would be that we know that the number is the right one.

I'm not bashing, I'm just trying to understand why this implementation is considered secure (I must be missing something).

[svenseeberg]

In this plugin the 2nd factor phone number is managed like a credential. It can only be changed after logging in in Keycloak. It should therefore have the same security as a TOTP shared secret. However, the transport of SMS is obviously less secure.

If you synchronize the phone number via LDAP and the attribute is writable somewhere else w/o entering a second factor, then this is obviously a loophole in the implementation. But I'm not sure if there is a native Keycloak way to synchronize a phone number attribute into a credential.

[lurendrejer]

I do understand the implementation from er service providers perspective, where the user is responsible for their own security.
The first sign-up is crititical in my view - when instructing 100+ users to sign up, I can se some kind of security race-condition, where an attacker could sign up first.
Some users might never sign up and leave the door open.
Maybe only allowing sign-up from certain source-ip's could mitigate this but not for certain.

This extension (https://github.com/dasniko/keycloak-2fa-sms-authenticator) uses the mobile-number attribute for the SMS OTP, I guess I'll keep looking for something that can use a custom readonly-attribute.

[svenseeberg]

The first sign-up is crititical in my view - when instructing 100+ users to sign up, I can se some kind of security race-condition, where an attacker could sign up first.

IMHO this depends on your threat model and the way you create accounts. If you have registration enabled in your Keycloak server, you can use the enforce-mfa plugin to force users to immediately set up a second factor.

If you have the phone number available before the first sign in, then enforcing MFA with the phone number is obviously an advantage. But that is not possible in all cases.

[lurendrejer]

Oh, i must have missed something in the docs.

I didn't think the extension could use predefined numbers.

Thank you.