The State Changers meeting focused on understanding and implementing two-factor authentication for a client project. The meeting mainly revolved around the use of Twilio and Xano. Questions were raised on how to ensure that the authentication code entered comes from the same browser that entered the correct initial password, and what prevents someone else from using that code on a different device.
Two solutions were discussed to mitigate these issues. The first solution involves the use of a time-limited one-time password (TOTP), which becomes invalid after a certain period of time or if it has been used once. The second approach involves presenting a temporary authentication code that must be validated alongside the correct password. The conversation then went in-depth into implementing this two-factor authentication with Zeno and Twilio. The process requires generating a unique temporary key during the username-password phase, which is passed to the front end and ultimately sent back. This temporary key is used in addition to the code received via Twilio for validation. To ensure enhanced security, it was suggested to avoid passing the phone number around on the API level. Instead, the unique random ID generated during the password confirmation should be used to look up the user and their associated phone number in the database. This method also reduces the risk of exposing sensitive user information. In addition to these measures, adding a timestamp to track the timings of these processes was discussed to further secure the process. If a certain amount of time passes after entering the username and password without the second code being entered, the system could then invalidate the session.
(Source: Office Hours 3/6 )
