Any examples of implementing User login system with 6-digit codes for confirmation

MatijaL · November 11, 2022, 1:02pm

Hi,

I’m trying to change a bit a user login system created by Phx.gen.auth. Normally, when a user creates an account, they get an email with link they have to click on to verify their email.

I would like to change that so the user receives the 6-digit number which they have to enter to the form to verify their email. I built most of it already and it works but I got stuck when user tries to reset their password. Also, there are some security issues I’m worried about, like, 6-digit number is only 1 million numbers which can be easily brute-forced. I would probably have to implement some other checks and limit the number of attempts…
There is NibleTopt library out there, but that’s for time based passwords when using 2-factor auth which is not what I’m looking for here.

So, I don’t have a real question here… I’m looking for some best practices if someone has tried to implement a similar system or if you know some open-source project which I could check, that would be awesome.

Thanks

derpycoder · November 11, 2022, 1:41pm

Why not use TOTP? (Using 2nd factor to verify the first factor makes sense according to me!)

There’s an awesome library so user can scan a QR code on your site on their phone, which can generate time based one time password and you can then let them through to verify the email!!

This is coming from someone who doesn’t want to mess up the security stuff by implementing some flawed version from scratch.

Plus I’m gravitating towards WebAuthn nowadays!

LostKobrakai · November 11, 2022, 1:47pm

What’s wrong with the already secure token phx.gen.auth uses for confirmation?

MatijaL · November 11, 2022, 1:54pm

It’s one more step for a user which I would like to avoid.

Nothing wrong with ti, it’s just an alternative approach I see more and more often so I would like to implement it to learn how to do is properly.

Just to make it clear, this is not for a production app, it’s all for learning purposes.

derpycoder · November 11, 2022, 3:28pm

Oh, since you are doing this for learning purposes, checkout PlausibleHQ code:

I saw them using email verification code, don’t know for what purposes it’s used, maybe for invite system.

I was eyeing their implementation myself few months back.

github.com

plausible/analytics/blob/master/priv/repo/migrations/20201130083829_add_email_verification_codes.exs

defmodule Plausible.Repo.Migrations.AddEmailVerificationCodes do
  use Ecto.Migration

  def up do
    create table(:email_verification_codes, primary_key: false) do
      add :code, :integer, null: false
      add :user_id, references(:users, on_delete: :delete_all)
      add :issued_at, :naive_datetime
    end

    execute "INSERT INTO email_verification_codes (code) SELECT code FROM GENERATE_SERIES (1000, 9999) AS s(code) order by random();"
  end

  def down do
    drop table(:email_verification_codes)
  end
end