PricingDocsAcademy
Bluesky ...
Wed, Dec 11, 11:07 PM

Best practice for OTP verification

  • Tom Ireland

    22 days ago

    I have implemented OTP generation in Xano (6 digit number) based on email address and user having an existing account, which sends OTP via email.

    I have a general musing about verifying the OTP when redirecting user upon success to an OTP verification page. Is it considered "acceptable" to redirect with the email as a query param to use in the verification POST along with OTP sent via email (given the page is HTTPS) or should I also create some kind of token hash as a query param instead of the email to verify the record along with OTP sent via email?

    If I decided to just do the verification on the same page, I could forego the query param as email is already saved as a variable when making the initial call for the token but I'm redirecting to a verification page for the OTP.
  • Max

    22 days ago

    Hi Tom! I would not use the email as a query param. You probably would not do much harm, but the params are not encrypted via https. Just the payload and the header
  • Tom Ireland

    22 days ago

    Thanks, Max. I did come to that conclusion and was thinking of just returning a token hash that could be used as the query param on redirect. That would be better, right?
  • If intercepted, you'd still need OTP to verify successfully and that's sent via email.
  • My verification page will use the hash as the identifier for the record in the db and then check OTP matches.
  • Max

    22 days ago

    I don't think you need the hash in the query params... You could do the login and the verification on the same page.
    But yes, this is more secure
  • Tom Ireland

    22 days ago

    Yeah, I think you're right re the login and verification. It would be way simpler to do this on the same page.
  • But good to also hear that token hash would be a more secure approach if redirecting.
  • Appreciate the sense check on that.
    💪1

Stop scrolling. Start building.

toddle is a visual web app builder that rivals custom code — but accessible to your entire team!

Try toddle — it's free!

© Copyright 2024 toddle. All rights reserved.