Is this method of phone verification secure?

I came across this great post detailing how to setup your own SMS verification system using Twilio: Phone Verification Solution using Twilio

It’s a great tutorial, but I’m wondering if it’s secure.

I’m no security expert, but this is my hot take: If the randomly generated number (used for the verification code) is stored in the browser I expect it will be easy to find by someone who wants to hack the system. But if it’s stored on the server then it should be fairly secure.

Can anyone confirm if that is correct?

And most importantly, does the linked method store the verification code in the browser or the server?

Can anyone with more knowledge than me confirm this?

I like this method because I can use the standard Twilio text message system which has cheaper rates than the Twilio Verificaiton Code API. But I do want to make sure things are secure.

If it’s not secure, is it possible to tweak this method so that the verification code is not stored in the browser?

Use to do the same thing …

Or make the code only a one time use ?

No it’s not secure because all the process is done in front-end with no privacy rules.
So I basically just have to inspect the element on Chrome to see the generated code…

If you’re looking for a model, I’ve made a similar log-in block, but secured.
Otherwise, the solution posted by @NigelG seems interesting.

Fairly simple to send the input field to the server to do the check. It doesn’t need to be in the Browser.

Yes please, would love to see the login-block you created :slight_smile:

1 Like

This topic was automatically closed after 70 days. New replies are no longer allowed.