Related: Implementation flow of MFA with TOTP
I'm trying to implement 2FA with TOTP in my web application.
The implementation I've looked at (the ASP.NET Core implementation of 2FA) does something like this:
- Check if username and password are correct
- Generate a cookie that contains the userid of the user that just logged in
- Redirect the user to a page in which he can insert the TOTP code
- The TOTP code is sent to the server, along with the cookie generated at step 2.
- If the userid contained in the cookie is correct (there's an actual user with that userid) and the TOTP is valid the user is authenticated.
For reasons I can't get into I can not implement something like that.
Would an implementation consisting of these steps defeat the purpose of 2FA?
- Ask the user for username, password and TOTP code
- If credentials and TOTP are correct, authenticate the user