Skip to content

Limit phone number re-use for verification #12883

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jldec opened this issue Sep 12, 2022 · 4 comments · Fixed by #13186
Closed

Limit phone number re-use for verification #12883

jldec opened this issue Sep 12, 2022 · 4 comments · Fixed by #13186
Assignees
@svenefftinge
Labels
aspect: abuse ❓ clarification required team: webapp Issue belongs to the WebApp team

Comments

@jldec
Copy link
Contributor

jldec commented Sep 12, 2022

Followup to #12258

Phone number verification would probably be more effective if it did not allow re-use of phone numbers across accounts. There appear to be services which provide low-friction re-usable phone numbers for circumventing verification.
@jldec jldec added team: webapp Issue belongs to the WebApp team aspect: abuse labels Sep 12, 2022
@geropl geropl moved this to Scheduled in 🍎 WebApp Team Sep 19, 2022
@svenefftinge
Copy link
Member

Have we checked our data if this would help?

@svenefftinge
Copy link
Member

We could blacklist any phone numbers that have been used by blocked accounts.

@atduarte
Copy link
Contributor

There are a couple of things we could, and believe we should, do:

  1. Add a "Blocked phone numbers" tab to /admin, like we have for repositories. Allowing to add new, modify, delete numbers manually
  2. Look for phone numbers used too many times and block all associated accounts.
  3. Automatically block a phone number when the user is blocked. And unblock when the user is unblocked.
  4. Stop deleting the phone number when the user deletes the account, guaranteed we never use it for anything other than abuse mitigation purposes.
  5. Do not allow more than 3 verifications with the same phone number. More than that should require contacting support.

@mbrevoort
Copy link
Contributor

Do not allow more than 3 verifications with the same phone number. More than that should require contacting support.
This seems pretty reasonable and would catch a lot of cases automatically while avoiding some legitimate phone number reuse scenarios.

@svenefftinge svenefftinge self-assigned this Sep 21, 2022
@svenefftinge svenefftinge mentioned this issue Sep 21, 2022
Merged
3 tasks
Repository owner moved this from Scheduled to Done in 🍎 WebApp Team Sep 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@svenefftinge svenefftinge

Labels
aspect: abuse ❓ clarification required team: webapp Issue belongs to the WebApp team
Projects
🍎 WebApp Team
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[server] don't allow more than three usages per phone number gitpod-io/gitpod
4 participants
@mbrevoort @svenefftinge @atduarte @jldec