SMS with link to PII — secure token length

[DrQuincy]

A client wishes to send a SMS as well as email to a lead gen system I have built. Users receive emails with a link containing a 128-bit secure token that when clicked shows some PII (Personally identifiable information just to be clear). They click it and get another form with their name, address, phone and email. No banking data or anything, just contact details.

With the SMS we are much more limited with characters and don't want to send 128-bit tokens in hex as they are 32 characters long. And hex is inefficient when it comes to characters as it only uses 0–9, A–F.

We have a short domain. If I generated a 16 character string from characters 0–9, a–z, A–Z using random_int() (which is cryptographically secure) we could add links like this to the SMS:

short.com/x0O56AB1npLxmU3H

This would redirect to their form. I am being extra cautious as there is effectively no “user name”.

I wanted a second opinion on it. I could make them verify their phone number, acting as a user name, but I'm reluctant as phone numbers can be a bit ambiguous compared to email (spaces, +() — and not everyone will have entered an email (it is optional and some of the older demographic omit this part). I can also make them expire after a time (30 days) and there will only ever be a few hundred valid tokens at any one time.

Given the above information, how long would you make the secure token?

Thanks.

 

 

[Jan Romero]

1 hour ago, DrQuincy said:

16 character string from characters 0–9, a–z, A–Z

If I’m not mistaken that should be 47,672,401,706,823,533,450,263,330,816 combinations, so… seems sufficient? GUIDs are 128 bit tokens and they’re used for computer things, so for something like this that only needs to work on a human scale it shouldn’t be a problem to go a couple of billion times smaller. Especially if you rate limit against guessing.

I wouldn’t ask for the phone number since anyone who intercepted the SMS would know that anyway. Shipment tracking things usually ask for my post code before showing my address, maybe that’s worth considering?

[DrQuincy]

Thanks. Yes, I think you're right on the number: 62^16. So when you put it like that it seems more than fine. The firewall should pick up on repeating attempts anyway. When it comes to stuff like this, I always self-doubt so like to get a second opinion. 🙂

As part of the process the phone number is the only field we will always have. I didn't mean it so much for intercepted SMSs as they would have the token by then, no matter how secure. It was more as a way to only allow the brute forcing of one users at a time.

By the way, I'm sure you cited GUIDs because of their length but you should never used them for secure tokens. They're generated for uniqueness, not unpredictability.