I’m building my own authentication and deciding on the signup/login flow. I’m would like some security feedback on this type of flow:
- User submits email address.
- 6 character alphanumeric one-time-code is generated and sent to the provided email. OTP is saved in database along with the email and an expiration (5 min).
- User enters code and is logged in. User is created if does not exist.
Is this bad security-wise? Am I missing something? I’m thinking the OTP has an expiration of 5 minutes and maximum 3 failed attempts before revoked. Is 6 characters enough?
Auth0 seems to have this as well: