Two-Factor Verification - Remarx Wireframe

Page Purpose: Verify 2FA code for login completion.
User Context: User with 2FA enabled who entered correct password.
Next Steps: After verification → User Dashboard (role-based)

Enter Verification Code

Alternative Verification Methods

Can't access your authenticator app?

Use recovery code instead
Send code via SMS (if configured)
Send code via email (if configured)

Lost access to all methods?
Contact support for account recovery

Recovery Code Entry

Form Validation

Client-side validation:

Code: Required, exactly 6 digits
Only numeric characters allowed

Server-side validation:

Code matches TOTP (Time-based One-Time Password)
Code has not been used (prevent replay attacks)
Allow time window of ±30 seconds
Rate limiting (max 5 attempts per 15 minutes)

Error messages:

"Invalid verification code"
"Verification code has expired"
"Too many failed attempts - please try again later"

Security Flow

User enters email/password on login page
System checks if 2FA is enabled for user
User redirected to this 2FA verification page
User enters code from authenticator app
System validates TOTP code
If valid: Complete login and create session
If invalid: Show error, allow retry (up to limit)

Data Model

AspNetUsers Table Fields Used:

TwoFactorEnabled (must be true)
PhoneNumber (if SMS verification enabled)

Two-Factor Setup:

Shared secret key (encrypted, stored in database)
Recovery codes (hashed, stored in database)
Backup methods (SMS, email) configuration

Verification Tracking:

Failed attempts count
Last attempt timestamp
Used codes (to prevent replay)

Recovery Codes

About Recovery Codes:

Generated when 2FA is first enabled (typically 10 codes)
Each code can only be used once
Used when authenticator app is unavailable
User should store codes securely
New codes can be generated from 2FA settings

Security Features

TOTP Standard: RFC 6238 compliant
Time Window: 30-second intervals with ±1 window tolerance
Rate Limiting: Prevents brute force attacks
Account Lockout: Temporary lockout after failed attempts
Replay Prevention: Tracks used codes
Backup Methods: Multiple verification options

User Experience Notes

Auto-focus on code input field
Auto-submit when 6 digits entered
Show countdown timer for code validity
Provide "Remember this device" option (30 days)
Clear instructions for new users

Two-Factor Authentication