Context: Bubble provides a native implementation of 2FA for your apps which is ok, except for two things:
- it is available on a costly plan
- it requires user to download an Authenticator application
Therefore, I tried to build my own 2FA system that sends a code via email. I tried to design the system to be as secure as possibile.
My question for you now is, how secure is this? Do you find something odd?
Here’s how it works:
##User wants to login
- In the login page he writes his credentials in a standard login-flow and triggers the first workflow which we’ll name “WF1”
- “WF1” is structured as this
a. Logs the user in
b. Immediately logs the user out
c. Schedules API workflow ("API WF 1")
“API WF 1” is structured as follows:
a. it generates a random 6-digit number
b. it saves it in the database, in a datatype which only has two fields: 1) the code (just generated) 2) the user that is trying to log-in (the user email). This privacy rules of this data type do not permit to anyone to view the fields. Only backend workflows can
c. sends an email to the user with the generated code
After this, on the front-end, the user is presented with a new input, where he must input the 2FA code.
When he triggers the workflow, which we’ll name “WF2”, the following happens:
- a new backend workflow is triggered (“BACKEND WF 2”), described later
- if the response from BACKEND WF 2 is positive (it gives back a boolean response), then it logs the user in another time (with the values he wrote previously in the login inputs) and redirects him to the index page. If the response is negative it does nothing.
BACKEND WF 2 does the following:
a. it returns a positive value if the 2FA code inputted by the user, and the email of the user that wants to authenticate, is the same as the one found in the database.
b. it returns negative if there are no matches.
What do you think about this?