It’s a great tutorial, but I’m wondering if it’s secure.
I’m no security expert, but this is my hot take: If the randomly generated number (used for the verification code) is stored in the browser I expect it will be easy to find by someone who wants to hack the system. But if it’s stored on the server then it should be fairly secure.
Can anyone confirm if that is correct?
And most importantly, does the linked method store the verification code in the browser or the server?
Can anyone with more knowledge than me confirm this?
I like this method because I can use the standard Twilio text message system which has cheaper rates than the Twilio Verificaiton Code API. But I do want to make sure things are secure.
If it’s not secure, is it possible to tweak this method so that the verification code is not stored in the browser?
No it’s not secure because all the process is done in front-end with no privacy rules.
So I basically just have to inspect the element on Chrome to see the generated code…
If you’re looking for a model, I’ve made a similar log-in block, but secured.
Otherwise, the solution posted by @NigelG seems interesting.
