phpsecuritycryptographygoogle-2fa

2FA - how to store login credentials correctly

I'm working on 2FA auth application implementation. Here's the proces:

  1. User enters login and password and submits the form
  2. Login and pass are sent to validate function
  3. Page reloads - if they are correct I store them inside hidden inputs
  4. User enters authentication code
  5. Login, pass and auth code are sent to validate function
  6. If everything is correct user is logged in

My question is:

How to store login and password submitted in step 1 properly? Is it safe to store them as plain text (unencrypted)? Or maybe I should hash them first? Store in the session?

Thanks for ay advice!

Solution

  • Your step 5 is slightly incorrect: you do not need to validate the password a second time. Thus, you do not need to store it anywhere, you only need to keep the login.

    Server-side, you should keep in the user session the authentication status: not logged, in 2fa process, fully logged (maybe with a role such as admin, etc.)

    I believe this diagram from the Symfony Documentation explains it well: diagram explainging two factor authentication

    Final note, if this is not for a private/educationnal purpose only, I encourage you to use a trusted library that might handle most of the process.