|
|
|
|
|
|
|
|
|
|
- Overview
- Principle
- Back-end server role
- SMS format
- Generating the one-time code
- Implementation in the mobile application
- Retrieving the one-time code from the SMS
- Verifying the one-time code
- Smart control for mobile applications
Generating and receiving a one-time code
In mobile applications, two-factor authentication is a common method used to verify a user's identity. Generally, a verification code is sent by SMS. You can now retrieve this code directly in your WINDEV Mobile applications. This feature is also available in a specific Smart control. The following elements are required to set up SMS-based user authentication in a mobile application: - Back-end server setup.
This authentication server is used to: - verify the user's identity,
- send the SMS,
- check the one-time code when it is sent back to the server to perform any post-validation tasks required.
- The mobile application should:
- Retrieve the code from the SMS.
- Request the code verification from the back-end server.
Note: There is no specific way to establish communication between the mobile application and the server.
One possible solution is to expose a REST API with two endpoints: - one that receives verification requests with the user details and sends the SMS messages in the expected format.
- one that receives the one-time code received by the application for further processing.
SMS format The SMS containing the one-time code must meet the following criteria: - it must not exceed 140 bytes.
- it must contain a one-time code. This code must be a sequence of 4 to 10 digits (at least 6 characters recommended), without separators.
- it must end with an 11-character string identifying your application.
Example: Authentication code: 123456
HQ+6aVM7NXq Note: The string at the end of the SMS is a hash string composed of the following elements: - the application package's name.
- the application's public key certificate.
You can find this string in the Android generation wizard when SMSDetectOneTimeCode is used in the code of the application. You can also generate this string with the keytool command. For more details, see Keytool command. Generating the one-time code It's recommended to generate a sequence of 6 to 10 random digits, store it in a database table and associate it with a user ID and an expiration date. Implementation in the mobile application Retrieving the one-time code from the SMS The one-time code received by SMS can be retrieved using SMSDetectOneTimeCode. This function starts listening for incoming SMS messages for 5 minutes. If an SMS containing a one-time code is received during this period, the procedure passed to the function is automatically executed using the received code as a parameter, and detection is stopped. Verifying the one-time code Smart control for mobile applications The "One-time code authentication" Smart control integrates all the functionalities required to implement SMS-based user authentication in your application. This Smart control contains: - a button to request a one-time code.
Caution: In the code of this button, you must include the call to the back-end server that will generate and send the code by SMS.
This button also triggers SMS detection. - a set of Edit controls that will contain the digits of the received code.
- A procedure named "VerifyCode", which will verify the code.
Caution: In the code of this procedure, you must include a call to the back-end authentication server to verify the code.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|