Best way to do 5-digit email code auth

[benone]

How can I do 5-digit code authorisation? I need to send 5 digit code to users email. Then it should enter it on login page.

Should I redefine generate_email_auth_key_value or there is a better way to do this?

Thank you!

[jeremyevans]

Rodauth doesn't have built in support for that. You should probably use the email_auth feature, which uses much stronger links in the email. Stronger in the sense of much better security, as 5 digit codes are quite weak. It may be possible to customize email_auth to use 5 digit codes instead of links, or to customize the sms_code feature to send the sms_code via email instead of via SMS. However, I would recommend using email_auth as-is.

[jaahoo]

Hi,
could I force user to enter password before sending link via email_auth? Now I can only force_email_auth?
I need to use it as two factor, password + magic link. I know it looks stupid, but that's what the client wants.

[jeremyevans]

Currently, email_auth is not setup to be a second factor after password authentication, but we could add a configuration method to enable that setup.

[doloboyz]

Funny, I was just about to create a post on this. I'm using the following flow:

The issue I'm having is that I can't think of any reasonable way to redirect from an email client into the native in-app browser. Even if temporary email codes may not be as secure as magic links, I think an email_code feature would definitely be worth implementing. Email codes can also be extended as an MFA method or to secure accounts in the event of suspicious logins, as its preferable to totp for some users (Some MFA is better than none). Seems like an ideal solution for native apps or those not looking to use sms authentication.

Auth value methods can include something along the lines of email_code_num_digits and perhaps email_code_max_attempts to prevent brute force attacks. Perhaps also email_code_min_digits set to 4.

If i were to customize email_auth, how would you recommend going about it?

[jeremyevans]

You should probably take a look at how email_auth currently works: https://github.com/jeremyevans/rodauth/blob/master/lib/rodauth/features/email_auth.rb

You should also review the feature documentation: https://rodauth.jeremyevans.net/rdoc/files/doc/email_auth_rdoc.html

Instead of customizing email_auth, you might be better off copying the email_auth feature into an email_codes feature, and then modifying it as appropriate for your needs. You'll want to carefully consider how to handle lockout for such an authentication feature, considering how trivial it is to brute force such codes.

[doloboyz]

Hmm, may just be better to support email_auth and webauthn on web and only webauthn on native clients( Perhaps YubiKey and Apple Sign in). Haven't tried webauthn setup, so I'm not sure if I'll run into similar issues.