|
|
|
|
|
|
by ADuckOnQuack
1886 days ago
|
|
|
You could store the phone number in hashed form and require the user to enter their phone number for the one-time text every time they log in, if the hashed phone number matches the hash you have stored for the user account, then send the verification text and let the user enter that to complete login. This way you can use a phone number for verification while not actually storing the phone number. you do run into the issue that getting ahold of extra phone numbers is fairly trivial, so you can’t really rely on phone numbers alone to keep bad actors out. |
|
|