Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to make two factor authentication token expire after single use

I implemented two factor authentication but by following this tutorial

https://docs.microsoft.com/en-us/aspnet/identity/overview/features-api/two-factor-authentication-using-sms-and-email-with-aspnet-identity

I want to make the code expire after single use.

Right now, user receives the same code during the expiration time (which is set to 5 minutes) completes. Is there a way to make the code single use? I couldn't find anything on this subject.

like image 640
Ege Bayrak Avatar asked Jul 05 '18 08:07

Ege Bayrak


Video Answer


1 Answers

There is a note in the tutorial that you linked to that says:

The 2FA codes are generated using Time-based One-time Password Algorithm and codes are valid for six minutes. If you take more than six minutes to enter the code, you'll get an Invalid code error message.

So, using this method, you cannot make the code expire after user.

You could, as an addition, keep a store of codes that have been used and check against that store before validating the code. You could allow the codes to expire out of that store after 6 minutes, which is their natural expiry time, but in the meantime use them to reject a second authentication.

Alternatively, you can choose to avoid the TOTP method and generate a random code that you store against your user before you send the SMS or email. Then you can check against that code when the user authenticates with it and delete or invalidate the code at that point. Using TOTP means that you could extend this 2FA to use an authenticator app based flow for the authentication too, which is more secure than SMS or email.

like image 181
philnash Avatar answered Sep 27 '22 22:09

philnash