I’m preparing to implement my own authorization server. I plan to add MFA support with OTP. I have a security concern regarding my way of understanding how it’s gonna work in my planned app.
I plan to have 2 apps:
- Backend related service to handle authorization/authentication,
- Frontend app implemented in some framework for delivering UI for user to interact with authorization flow.
Here is my understaning of how such process should look like:
- User clicks Login button,
- User is asked to fill username/email + his password.
- Request is made to the auth server containing user credentials.
- Auth server validates user credentials. If they’re correct frontend app receives some kind of positive response and it generates UI for delivering OTP.
And here is my doubt. Let’s say that somebody tries to hit my auth server endpoint with OTP token completly ignoring first step which was about authenticating with user credentials. It is possible that someone can "guess" someones OTP and log into someone’s account.
I think that maybe auth server should append some kind of cookie with randomly generated UUID to a response for credentials call? Then server should validate the existence and correctness of the cookie for a request with OTP? This way server would "know" that previously user has delivered credentials.
You need to sign in to view this answers
Leave feedback about this