2

I'm not sure about this issue I have, so maybe you can help me. I have build a 2-Step Verification for an android app.

  1. User sends his phone number from the app to the server via https
  2. Server sends authentication code back to user via SMS (based on
    Twilio/PHP)
  3. User receives the code and can authenticate himself on the server

At that point I can be sure that the user is the authenticated owner of the smartphone where the code has been sent.

If the user now restarts his phone and his app afterwards, how can I ensure that this user is still the same authenticated user? Do I have to send some kind of credentials to the server each time based on the authentication code? Is this a safe and proper way to do this?

Thank you and best regards!

Dopser

Dopser
  • 23
  • 2
  • If another user get the phone, you have no way to distinguish by SMS. – Joshua Jul 25 '16 at 09:12
  • Send phone number on each request and match it on server if it is same then user is authenticate if not then again ask for verification as per need .. – ansuman chauhan Jul 25 '16 at 09:31

2 Answers2

0

A token number can be generated (similar to a cookie) which is stored both on the phone as well as the server database. The token number can be the verification code too, if you want to reduce the hassle of keeping track of another number.

You can store this token on your device using sharedpreferences or sqlite database, etc

Storage options on Android

On every onCreate() instance you can check if both the tokens match.

This way you can solve your issue. You can do the same for all consequent activities.

Geet Choubey
  • 1,069
  • 7
  • 23
  • perfect, thank you! :) So my next step will be a token system with synchronized tokens on client and server side, which changes itself in a certific intervall. – Dopser Jul 25 '16 at 11:21
  • I use Google Firebase to fire changes from/to application. Within fraction of seconds the changes are reflected in the application. So you can create a broadcast receiver that logs the user out if the password is changed or token is deleted from the server. Also in Google Firebase, The heartbeat is very low and stacks up the requests when the user is offline. Very helpful I tell you.. ** Most importantly, don't forget to mark the answer correct. I'm counting on votes to reach 50 points so I can post comments :P ** – Geet Choubey Jul 25 '16 at 11:25
  • Thanks now I don't need to answer posts that only need comments :D – Geet Choubey Jul 26 '16 at 05:06
0

The user should send the access token on each request.

You might need to consider the OAuth flow because your flow can be map to an OAuth token authentication. See here http://oauth.net/2/

You need to think about token/code validity in time as well.

Hope this helps.

seyfof
  • 1
  • 1
  • Hi, thank you! I'm not so familiar with OAuth, but in my eyes it seems to be a proper way to ensure authenticated communications betweens services without using the user password itself. Sounds pretty good! – Dopser Jul 25 '16 at 11:45