Home > Software design >  Where should the two-factor authentication process be?
Where should the two-factor authentication process be?

Time:04-14

I want to know if I should process two-factor authentication on the client or backend?

For example, I request for SMS on the client, and if the user enters the correct code then request backend for registration. Or use backend to process it and on backend request for SMS and check if code is correct or not.

I think on the backend it's more secure, but I'm not sure.

CodePudding user response:

Short answer in the backend. Always, always process the authentication in the backend.

If you are processing the authentication on the client side then you open yourself up to client-side bypass attacks. This is as true for MFA as it is for simple (username / password) authentication. The client must always pass the user input (in this case the code from the SMS) to the backend for validation.

There is a lot of great information about this on the OWASP site around Insecure Authentication.

  • Related