locked
twofactor sign in issue RRS feed

  • Question

  • User1034446946 posted

    Hi

    a user logins in with there username and password and i send them a code.

    the user is directed to a enter code page.

    where and how do i hold the userid?

    do i just put it in the url, which seems a little insecure? do i put it in a jwt, which the seems to complicate jwt's (i have to validate the jwt for a status,and not just mean signed in)

    or is there another way i am missing

    Tuesday, April 21, 2020 11:13 PM

Answers

  • User-474980206 posted

    The point of two factor is they have access to the resource. Sending a link with user ID is ok. Of course the ID should either be guid or encrypted, so they can not be guessed.

    its also common to send the code, and require them to type the code into the original page, thus no ID is required.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 22, 2020 1:58 AM
  • User475983607 posted

    EnenDaveyBoy

    so u mean storing the username and password somewhere on the page and submitting them with the code? (maybe hidden fields or maybe just hiding the main login part? (or put it in redux for a short time?

    No. The user already authenticated, the username and password exist.   Commonly a short lived cookie, with encrypted content, is used to persist whatever information you need to deal with the 2nd factor.  Once the 2nd factor is validated, your code sets the authentication cookie and expires the 2-factor cookie.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 22, 2020 1:08 PM

All replies

  • User-474980206 posted

    The point of two factor is they have access to the resource. Sending a link with user ID is ok. Of course the ID should either be guid or encrypted, so they can not be guessed.

    its also common to send the code, and require them to type the code into the original page, thus no ID is required.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 22, 2020 1:58 AM
  • User1034446946 posted

    so u mean storing the username and password somewhere on the page and submitting them with the code? (maybe hidden fields or maybe just hiding the main login part? (or put it in redux for a short time?

    Wednesday, April 22, 2020 12:10 PM
  • User475983607 posted

    EnenDaveyBoy

    so u mean storing the username and password somewhere on the page and submitting them with the code? (maybe hidden fields or maybe just hiding the main login part? (or put it in redux for a short time?

    No. The user already authenticated, the username and password exist.   Commonly a short lived cookie, with encrypted content, is used to persist whatever information you need to deal with the 2nd factor.  Once the 2nd factor is validated, your code sets the authentication cookie and expires the 2-factor cookie.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 22, 2020 1:08 PM