Which practices should i use while generating SMS codes for auth on my project?


I’m using good algo? Maybe i need to use something better?

Which generator is being used by Math.random()?

Have a look at the footnote on that Mozilla page:

Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security

Will it increase security if i will check previous sent code for {$n} last minutes from db and regenerate another one if it will be same (brute same code twice case), so user always gets random 5941-2862-1873-3855-2987 without 1023-1023-2525-2525-3733-3733 case? I understand that chance is low, but anyway…

No. You shouldn’t try to make numbers “more random” by avoiding repetitions. It’s the property of random numbers that there is a chance that the next one will be the same as the previous, and it’s ok. You would actually weak it by discarding those $n last codes.

I would actually try to implement HOTP / TOTP on the sms codes. You don’t really need to, a random number would do, but that way you could easily change the users from sms authentication to local-app authentication, with no changes on the verifier code.