0

I am trying to implement an application that includes registration,

In order to register to the system the user shall enter his organization ID number let's say. To verify the user identity, a verification code will be sent to the phone number stored in the database that meets the entered ID number,

I was wondering what would be the best way to implement this verification mechanism in a secure manner? What algorithm should I use to generate the verification code? This CheckDigitSystem Suggested some algorithms but I am more concerned about the time in order to prevent replay attacks.

Is it practical to append or use the time stamp to generate the verification code? What should be the TTL for the verification code to expire?

I am also concerned about the user experience, if I don't want to make the verification code too long, would I need to implement expiration upon number of attempts? Or is it better to use long verification codes?

Lamya
  • 103
  • 8

1 Answers1

1

Sending a verification code is a good option to make use of the information that you have in the database. For the type of algorithm, you can use a complex or a simple ones. The simple one that I have in mind is the timestamp and add salting to it. Like how cryptography works.

As for the expiry time, make it like 3 mins would be sufficient. The number of attempt would be 3 times as well, once it hit 3 error, create a log detail in your system or send a notification to notify you that someone try to hack into the system or something like that.

James Yeo
  • 23
  • 1
  • 7