Step 1: Validate Access Code
šÆ Purpose
Validates that users control one of their registered communication channels (email or SMS) by requiring them to enter a verification code sent to that channel.
š Step Execution Context
āļø When This Step is Required
- First Factor Failure: User has not successfully validated their first factor
- Secure Cookie Scenario: User's first factor was based on Secure Cookie only
- Configuration Dependent: System configuration determines if step can be skipped
āļø When This Step Can Be Skipped
- Successful First Factor: User successfully completed first factor authentication
- Configuration Override: System configuration allows step bypass
š Access Code Validation Process
š§ Code Generation and Delivery
- Channel Selection: System determines available communication channels (email/SMS)
- Code Generation: 6-digit numeric verification code created
- Code Delivery: Code sent via email or SMS to registered address/number
- User Notification: User informed that code has been sent
š„ļø Access Code Validation Screen
š Access Code Handling
š Code Source Priority
| Code Source | Priority | Description |
|---|---|---|
| Pre-generated Code | 1st | Use existing code stored on user profile |
| Generated Code | 2nd | Generate new code if none exists |
| No Code Available | Error | Error shown if code generation disabled |
š§ Code Generation Logic
š”ļø Security Features
š User Existence Handling
- Non-existent Users: System still asks for access code but validation will fail
- Deleted Users: Users in DELETED status cannot successfully validate
- Privacy Protection: Same interface shown regardless of user existence
- Security Measure: Prevents user enumeration attacks
š Validation Security
- Time Limits: Codes expire after configurable time period
- Attempt Limits: Limited number of validation attempts allowed
- Rate Limiting: Prevents brute force attacks on codes
- Single Use: Each code can only be used once successfully
š Validation Flow
ā
Successful Validation
ā Failed Validation
š§ Communication Channel Details
š® Email Delivery
- Email Content: Professional email with 6-digit code
- Delivery Time: Usually within 1-2 minutes
- Spam Considerations: Users advised to check spam folders
- Format: Clear, easy-to-read code presentation
š² SMS Delivery
- SMS Content: Simple text message with verification code
- Delivery Time: Usually within 30 seconds to 2 minutes
- Carrier Compatibility: Works with major mobile carriers
- Format: Optimized for SMS length constraints
ā ļø Important Step Notes
š§ Configuration Dependencies
- Channel Availability: User must have registered email or mobile number
- Service Configuration: Email/SMS services must be properly configured
- Generation Settings: Code generation must be enabled in system
- Bypass Rules: Configuration determines when step can be skipped
šØ Error Scenarios
- No Registered Channels: User has no email or mobile number registered
- Service Outages: Email or SMS services temporarily unavailable
- Delivery Failures: Network issues preventing code delivery
- Configuration Issues: System misconfiguration preventing code generation
Updated 4 months ago