I was working on implementing an OTP strategy in our login process of a web application when I was asking myself: Should I ask for the OTP token before or after asking for the username/password?
What I generally see with services I use is, I have to provide the OTP token after they've verified my username/password.
I was wondering if this was just due to user experience decisions or if there was a security aspect to it.
Aucun commentaire:
Enregistrer un commentaire