I have a web API, which is used by a web application and a mobile application. Currently it uses the standard approach of username and password login. For the sake of simplicity we need to send a user a six digit code through SMS; this code combined with there phone number would grant them access to the API.
Would it be possible to generate a six digit number and let the users login with a combination of this code and their phone number?
I was looking at the possibility of just adding it to the request headers and then handling this in the authentication provider, but I am not sure if there is a best practice I should be following here. Security is of high importance of course.
I could just check the headers in the provider and then have the code act accordingly. I have searched for other examples but have not found anything, so this is more a question for guidance and best approach. The code would have a one day expiration and be stored in database after being hashed.
Again, any suggestions would be most appreciated.