Can I use 2FA to implement email confirmation

Hey folks. So if I want to stop spam registrations by limiting the people who signup to real phone numbers and / or email addresses, can I use 2FA for that? Like a one-time code? and what if they never enter that code? Should I at that point just freeze or completely delete the account or what is the suggestion here? Best practices?

If you’re really worried about spam registrations, I would use phone numbers and use a 3rd party service to verify they’re not VOIP phones (which are way cheaper to get). The next hard one to get is a phone, and then an email.

For actually writing it, if you decide to go with a 3rd party service for phone number verification then you’d need to write that. However, for starting out, you can use the aws component (here). For actually implementing the multi step sign up, you can see how it was done similarly with sign in 2fa (here).

If they don’t enter the code, and you want to save potential sign up information then keep it otherwise don’t. There might be some people that aren’t spammers that just can’t figure out how to 2fa (depending on your customer base). If you do keep the account, I would toggle the disabled flag for the UserAccount.

For best practices, you could use recaptcha (credit). I based the 3rd party service and phone number idea on openai’s login which could be considered best practice.

Hope you are able to fix your problem soon, and this helps!

Thank you for sharing all this great info Michae. How does all of this wire up to moqui itself though? To me moqui is sort of the blackbox here. Am I going with 2FA route / services? or is it unusable and I should roll my own thing on top of the UserFacade for example?

1 Like

If you’re treating Moqui as a black box, it depends on where your login service is. If it’s using a seperate node.js or whatever application, then you should create screens there as needed while calling a moqui rest endpoint that you create in your component. In that rest endpoint, you would call a service that takes a phone number and user account id, uses the aws sms (or equivalent service) to send a code to the client. For generating and storing the code I would use the second factor authc service with something like this and this.

Otherwise, if you’re using Moqui screen for login that gets a bit more complicated if you don’t know internal screen stuff. Let me know if you are thinking about doing that.

1 Like

Ahh now it’s a bit more clear actually. We have some reusable low level services that both 2FA and my solution can depend on. Nice, thank you for sharing again

1 Like

Sure, happy to help!