具有2因素认证的基本登录系统

Question

我想要实现的

我需要为一个网站创建一个管理小组。因此，我需要一个通过密码保护面板内容的可能性。功能不需要非常高级。我既不需要密码重置功能，也不需要添加多个用户的可能性。我也不需要一个“让我登录”-functionality。

它也是一个相当小的网站，所以我认为安全标准不需要像大公司那样高。

我不能用曲奇做这个项目。这是一个完全“无饼干”的网站。

我已经在堆栈过流上提出了一个关于这个问题的问题，用户罗阿奇特伯格在评论中建议我可以添加层来提高安全性。

因此，我决定通过电子邮件添加2个因素认证。

代码

index.php

Login
            
                
                    
                
            
                
                    
                
            
                
            ";

//Check if form was submitted
if(isset($_POST['login'])) {
    //Documentation: https://www.php.net/manual/de/function.password-verify.php
    $verifyUsername = password_verify($_POST['username'], $username);
    $verifyPassword = password_verify($_POST['password'], $password);

    //Check if user entered correct username and password
    if($verifyUsername && $verifyPassword) {

        //Generate and send OTP
        include "randomCode.php";
        $code = randomCode();
        mail("contact@example.com", "One time code", "Your one time code: " . $code);
        $time = openssl_encrypt(time(),"AES-128-ECB", "****************");
        $code = password_hash($code, PASSWORD_BCRYPT) . $time;

        //Load 2fa screen
        $content = "2-factor-authentication
            
                
                    
                
                
                
            ";
    }

    //Reload login form
    else {
        $content = "Login
                    Wrong username or password!
                    
                        
                            
                        
                    
                        
                            
                        
                    
                        
                    ";
    }
}

//Check if one time code was submitted
if(isset($_POST['2faLogin'])) {

    $time = openssl_decrypt(substr($_POST['code'], 60), "AES-128-ECB", "****************");

    //Did user take too long to enter code (5 minutes)?
    if(!$time || time() - intval($time) > 300) {
        include "randomCode.php";
        $code = randomCode();
        mail("contact@example.com", "One time code", "Your one time code: " . $code);
        $time = openssl_encrypt(time(),"AES-128-ECB", "****************");
        $code = password_hash($code, PASSWORD_BCRYPT) . $time;

        $content = "2-factor-authentication
                    Code invalid! We've sent you a new mail.
                    
                        
                            
                        
                        
                        
                    ";
    }

    //Did user was too fast (10 seconds)?
    else if(time() - intval($time) < 10) {
        $code = $_POST['code'];
        $content = "2-factor-authentication
                    That was a bit too fast.
                    
                        
                            
                        
                        
                        
                    ";
    }

    //Time is ok
    else {
        $verify = password_verify($_POST['2fa'], substr($_POST['code'], 0, 60));

        //Verify OTP failed
        if(!$verify) {
            $code = $_POST['code'];
            $content = "2-factor-authentication
                    Entered wrong code!
                    
                        
                            
                        
                        
                        
                    ";
        }
        //Verified OTP successfully
        else {
            $content = "Welcome!Content here...";
        }
    }

}
?>




    
        John Doe

randomCode.php

问题

欢迎所有建议。我特别感兴趣的是这个代码的安全性，以及如何进一步改进它。

Answer 1