Setting up 2FA for users

So here is the scenario

I have a system where the users need to log in. I used to have a magic link sent out as a 2FA but this is not ideal as the PWA for IOS does not log in from the magic link, on top of this I just updated my email server to office 365 and now the links are more often then not expired before anyone can use them.
I decided to look into using the 2FA authenticator which on the outset looks great. however, the users secret key needs to be inputted before they are properly logged in, which means the secret can be seen if the username and password of the user is known, through inspecting the page or the bubble inspector. This kind of defeats the purpose.

Does anyone know a way around this? the secret for the authenticator app needs to be called up to authenticate so how do I do this without displaying the secret. I tried using a decrypter but then the “hacker” would only need to put in a false code once and check the bubble debugger and the true secret would be displayed, which theoretically can be used to re register with an authenticator and gain access.

I appreciate any help

This topic was automatically closed after 70 days. New replies are no longer allowed.