I am trying to implement an application that includes registration,
In order to register to the system the user shall enter his organization ID number let's say. To verify the user identity, a verification code will be sent to the phone number stored in the database that meets the entered ID number,
I was wondering what would be the best way to implement this verification mechanism in a secure manner? What algorithm should I use to generate the verification code? This CheckDigitSystem Suggested some algorithms but I am more concerned about the time in order to prevent replay attacks.
Is it practical to append or use the time stamp to generate the verification code? What should be the TTL for the verification code to expire?
I am also concerned about the user experience, if I don't want to make the verification code too long, would I need to implement expiration upon number of attempts? Or is it better to use long verification codes?