Update token for MFA/2fa in app


Currently, I’m using the multi factor authentication in my app.

login > 2fa > home
Scan the qrcode from the Google Authenticator, insert the token generated

My idea is store the random token into my database, and then call the stored token to match with the input token, if both match, then will redirect to the home page.

However, I'm facing some issue
  • how to update the latest token when it is expired ( the token will expire every 30 second)

    but I don’t need the token always keep on update everytime, I just need it update within the duration the user login in the login page and submit in ‘2fa’ page (between first login [login ]and the second login [2fa]). when user able to access the home then it can stop update

  • how to set the expire date to 30 days of the token inserted in 2fa, then user no need insert the token when they login within the 1-month

    01/01/2023 login >> login > 2fa > home
    02/01/2023 login >> login > home
    29/01/2023 login >> login > home

    01/02/2023 login >> login > 2fa > home
    15/02/2023 login >> login > home

If there is any idea/advise, kindly share as long as the function is similar to my idea :grinning:.

Hello @beginof,

I hope you aren’t storing the One-Time token in your db and just doing the conversion on the stored secret key.

With that said, yes, you can save the location. Basically you can store the IP address of the request along with a time stamp of when they accepted. Then compare that first in the login step before sending to 2FA.

HI @jinnyzor ,

What yours advise on the OTP?
How can the insert OTP match with OTP that get/generated from the Goggle Authenticator in user’s phone?

You store the secret key that makes the OTP.

The Authenticator just stores the secret key and then displays what that key is when asked for a number.

Thanks @jinnyzor your advise :grinning:

1 Like