billyb2
commented
3 years ago Most likely going to use the OAuth 2.0 protocol. This is a great explanation of how it works. .
For the backend, using oauthlib is probably the best idea, it seems to be well respected and maintained.
As for the frontend, I'd assume they'd just have to send the current 6 digit code (don't quote me on that, still learning exactly how OAuth works). However, some clients may deny having OAuth on their account during the signup process. The client would need to make it an optional text box.
A good way of verifying that the correct user is logging in is by using 2FA. This makes it so that even if the user's password is compromised, the attacker will need their 2FA code, for which they'd have to compromise either the user's device or their email. The setup of this would involve both the front end with the register and login page, and also having a field for 2FA. Most of the work would be in the backend, verifying 2FA codes.