Hello,
I am embarking on a quest to build a two step email authentication for my web app (there are good reasons not to use Google Authenticator).
I’m nearly there but I’d like to humbly ask the community for feedback on how to improve. I am not saying this is the right way, but’s how I’ve gotten it to work. So if you have any ideas on how to improve/make more secure, I’m all ears!
The idea is that a user inputs their credentials here:
Then, they get an email with an auth code to input here:
A few notes:
- The emailed auth code has a 15 min expiration
- There is a max 10 attempt login counter
On the login page the logic is as follows:
- Query to get login attempts for posted email
- Then, increment this number by 1
- If the count is less than 10, proceed to the first security provider and attempt to log in
- After login, set the 2fa token value, expiration date/time and update the DB
- Query the DB to get the user’s first name and send user an email with 2fa auth code
If login attempts > 10, send a 403 to the front end with a pretty error message and eventually email the user to let them know what happened to their account.
On the ‘enter auth code page’ the logic is as follows:
- To access this page, the user should have successfully logged into the prior page
- Query the user for posted email to get the 2fa expiration time and token value
- Update the number of login attempts
- If date/time is less than 15 minutes AND login count < 10, go to THEN condition
- Try to log the user in with the posted auth token
- Then reset the expiration time, token and login attempts
If the login count > 10, respond with a 403 status.
I’d love to get feedback and suggestions on how to improve.
Last updated: