Protection against OTP abuse
The first factor identification with any internet application happens through sign up functionality and if there is a requirement to associate the user with phone number for the apps like e-commerce, food delivery, medicine delivery, events lookup etc, then the Signup is programmed to happen to OTPs. Since any and every user is expected to produce OTP while signing up, the feature as such should not be bound by any security headers. This makes the OTP generation and delivery of OTP SMS vulnerable to an array of attacks like 1. DDoS attack - No further SMSes can be sent when the allocated SMS threshold for a given time for an application from the SMS service provider is reached due to increased requests. 2. Resource exhaustion attack - Exhausting allocated cost per unit time for sending SMS due to DDoS 3. Unintentional sending of SMS to customers that lead to annoyance and even to unregistered customers Some of the counter measures to stop the abuse 1. Rate limiting - Bot