I use Keycloak as authentication server, and add an SPI plugin to enable “login by SMS” (for example, this one: Two-Factor Authentication with SMS in Keycloak | Niko Köbler – Keycloak Expert, Software-Architect & Trainer). However, that tutorial only says how a user using a browser can talk with Keycloak; but in my case, I have an mobile app and users need to login using that (instead of a webpage).
Therefore, I wonder what should I do? Thanks for any suggestions!
You should to define what “login by SMS” means for you. Linked example is not a login by SMS. It’s only second auth factor. There is still “classic” username/password involved.
BTW how do you want to mitigate SIM swap attack, when you want to have login by SMS?
@jangaraj Thank you very much for your reply!
My need: User should (1) input a phone number (2) click the “send sms” (3) input the sms verify code they receive (4) click “login”. Then should be logged in successfully.
I can ignore the sim swap attack (I know it is not that safe :/) but if you can mitigate it I would appreciate!