Secure practices in OTP based login mechanism

Need help
1

Hi,

I am thinking of implementing an OTP-based login mechanism on my app.

I have a WhatsApp API provider using which I can send WhatsApp messages.

Here’s the flow I am thinking of:

  1. SIGN-UP
  2. The user enters relevant information like email, name, and phone and clicks on the request OTP. (I’ll be storing the number by appending with some domain to use it as an email.)
  3. I’ll then generate a random number using a backend workflow and store it in a custom state, and send this OTP to the user. (Is it safe to store this in a custom state? If not, where can I store it considering the user has not logged in yet?).
  4. Once he enters a valid OTP, I create a random hashed temporary password and use it to sign the user up. I also store this in the user database for future login
  5. LOGIN
  6. The user enters the phone number and clicks on the request OTP.
  7. I’ll then generate a random number using a backend workflow, store it in a custom state, and send this OTP to the user.
  8. Once he enters a valid OTP, I search the user table with his unique phone number and log him in with the temporary password created using step 4. (To do this search, I’ll have to disable privacy rules to get a temporary password. Is this secure?)

Can you please let me know if this is a good approach? If not, can you advise me on a better approach to implementing login and signup using OTP methods in Bubble?

Thanks

2

All client side validation will lead to security holes, as intermediaries can give validation=True and gain access. Use bubble’s 2FA feature. Other 2FA plugin does not provide server based auth.

3
  1. Never store OTP in custom state as this is a client-side feature.
  2. You need separate db table (thing) that tracks issued OTPs against e-mails that is filled from backend workflow. It should never be accessed from client-side workflows. You can enforce it using appropriate dummy privacy rules.
  3. Storing and validating OTPs should be performed in a backend workflow(s), which you can set to ignore privacy rules.
  4. Subsequently, you don’t need to disable privacy rules to get temporary passwords as you can mark single backend workflow to ignore them.
  5. You probably would need periodic OTP table cleanup in a scheduled workflow.
5

So, can I do something like this?

Request OTP from screen

  • Trigger the backend workflow to create an OTP and store it in a table with the expiration date and other information. Also, make an API call to send this OTP on WhatsApp to the user.

Verification of OTP

  • Trigger backend workflow to verify entered OTP and send yes or no to handle success or error scenarios.

One doubt I have is when I make an API call to send the OTP to user, will this be seen on networks tab in dev console?

6

If you do it from backend workflow, it won’t.

7
  1. You need separate db table (thing) that tracks issued OTPs against e-mails that is filled from backend workflow. It should never be accessed from client-side workflows. You can enforce it using appropriate dummy privacy rules.

I did not understand what you meant by dummy privacy rules, Can you please explain?

8

I mean a synthentic tule that prevents access to OTP table for anyone:

image
image1299×528 26 KB

It’s a precautious measure and isn’t necessary if you are careful enough, but I used to add this rule for sensitive data.