Privacy Rules for 2FA

I’m using this plugin for 2FA on my app.

The plugin checks if the input 2FA code is valid by generating another code with a user’s secret. If the generated code matches the entered code, it logs in the user.

However, in order to generate a code to compare to the input code, it needs to fetch the user’s secret from their User object.

How can I set the Privacy Rules so that the user can only see their secret if the generated code matches the one that they entered? If I allow the user to see their own secret without any restrictions, they can simply bypass the 2FA.

That’s a tricky one.

Backend workflows can be set to ignore privacy rules though, so you could simply run a backend WF that takes the entered code to do the check and then set a flag on the user’s DB thing approving access.

Ranjit / Atomic Fusion - Accelerate your Bubble development

This topic was automatically closed after 70 days. New replies are no longer allowed.