Phishing-Resistant Phone Number Attestation for MFA
draft-brown-spice-phishing-resist-attestation-00
| Document | Type |
Expired Internet-Draft
(individual)
Expired & archived
|
|
|---|---|---|---|
| Author | Derek Brown | ||
| Last updated | 2026-05-07 (Latest revision 2025-11-03) | ||
| RFC stream | (None) | ||
| Intended RFC status | (None) | ||
| Formats | |||
| Stream | Stream state | (No stream defined) | |
| Consensus boilerplate | Unknown | ||
| RFC Editor Note | (None) | ||
| IESG | IESG state | Expired | |
| Telechat date | (None) | ||
| Responsible AD | (None) | ||
| Send notices to | (None) |
This Internet-Draft is no longer active. A copy of the expired Internet-Draft is available in these formats:
Abstract
This draft introduces a phishing-resistant phone number attestation mechanism for multi-factor authentication (MFA). Conceptually similar to WebAuthn, it uses origin-bound cryptographic challenges to ensure that users only attest ownership of their phone numbers to legitimate relying parties. The protocol leverages network-operator- issued verifiable credentials (VCs) that cryptographically bind phone number ownership to a user's device. Applications present origin- scoped challenges that users sign using their VC, ensuring secure, domain-specific authentication and mitigating replay, relay, and phishing attacks- without relying on SMS-based one-time passwords (OTPs).
Authors
(Note: The e-mail addresses provided for the authors of this Internet-Draft may no longer be valid.)