First of all great job with this repo. I think 2FA with email is a very crucial feature and it was nice to see what work has already been done here. I would like to make this repo extremely easy to use for anyone that wants to add 2FA to their project.
Therefore I am suggesting the following improvements which should make this feature more secure and more easy to adjust to different use cases:
[x] Added time-to-live so the code is only valid for a certain amount of seconds
[x] Added configuration options for the code length and the time-to-live
[x] Fix #24 by using Keycloak's SecretGenerator instead of ThreadLocalRandom
First of all great job with this repo. I think 2FA with email is a very crucial feature and it was nice to see what work has already been done here. I would like to make this repo extremely easy to use for anyone that wants to add 2FA to their project.
Therefore I am suggesting the following improvements which should make this feature more secure and more easy to adjust to different use cases:
SecretGeneratorinstead ofThreadLocalRandomSome inspiration regarding the TTL and configurability was taken from this repo https://github.com/stratumn/keycloak-2fa-email-authenticator