Any examples of implementing User login system with 6-digit codes for confirmation


I’m trying to change a bit a user login system created by Phx.gen.auth. Normally, when a user creates an account, they get an email with link they have to click on to verify their email.

I would like to change that so the user receives the 6-digit number which they have to enter to the form to verify their email. I built most of it already and it works but I got stuck when user tries to reset their password. Also, there are some security issues I’m worried about, like, 6-digit number is only 1 million numbers which can be easily brute-forced. I would probably have to implement some other checks and limit the number of attempts…
There is NibleTopt library out there, but that’s for time based passwords when using 2-factor auth which is not what I’m looking for here.

So, I don’t have a real question here… I’m looking for some best practices if someone has tried to implement a similar system or if you know some open-source project which I could check, that would be awesome.


Why not use TOTP? (Using 2nd factor to verify the first factor makes sense according to me!)

There’s an awesome library so user can scan a QR code on your site on their phone, which can generate time based one time password and you can then let them through to verify the email!!

This is coming from someone who doesn’t want to mess up the security stuff by implementing some flawed version from scratch. :sweat_smile:

Plus I’m gravitating towards WebAuthn nowadays!

1 Like

What’s wrong with the already secure token phx.gen.auth uses for confirmation?

1 Like

It’s one more step for a user which I would like to avoid.

Nothing wrong with ti, it’s just an alternative approach I see more and more often so I would like to implement it to learn how to do is properly.

Just to make it clear, this is not for a production app, it’s all for learning purposes.

Oh, since you are doing this for learning purposes, checkout PlausibleHQ code:

I saw them using email verification code, don’t know for what purposes it’s used, maybe for invite system.

I was eyeing their implementation myself few months back.

1 Like