0

I'm creating a mobile app that will have a verification process of the phone number like most of apps do when they use your phone.

I'm also developing the back-end but I don't know exactly what is the safer way to generate a 4-6 digits code and send by SMS to verify that account.

How should I implement the generation of the code? And also, how to validate if it's a valid code for that phone?

Should I generate a random code and store it in the database? How to ensure the code is unique for each phone? Is it necessary to handle the case when I have more than 999999 (6 digits number max) users requesting the code even when it's certain that it won't happen?

Improve this question
1
  • It shouldn't be unique. It should just be random - unpredictable Commented Mar 19, 2021 at 14:52

3 Answers 3

Reset to default
1

The code just needs to be random, and it needs to be associated with and only with the one particular session that is attempting to log in. That way it doesn't actually matter if you know user123's MFA token unless you also have the particular session key user123 requested the MFA token under.

The code should be stored with an expiration date-time alongside the session, regardless of whether that session is a "traditional" long-lived session or a "login session" that only lives long enough to produces an auth token (like a JWT). Just don't store it or any derivation of it on the client, as that would defeat the purpose. :D

Improve this answer
1
  • +1 This is the only answer so far that addresses the question — and it is a good answer. Commented Mar 19, 2021 at 16:27
0

You may implement all that yourself, but you will have to send the SMS itself in some way. I assume you want to send the code SMS from the backend to be secure, so you'll need an SMS sending provider.

Some SMS sending services already provide phone validation services too, including tracking codes and formatting your SMS in a way that's compatible with different providers. Including inserting app hash and things like that.

For example https://www.twilio.com/verify (I tested this, not used in production yet).

Improve this answer
0

I would also remind you that if you send that code to my copper-line house phone you won't get an SMS response. (Well, it's optical-based now, but it still does not support SMS.)

Improve this answer

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.