This tutorial is great, except that it does NOT require you to enter the verification code to login (as other commenters here have pointed out). As soon as you enter your email and password, you can go to any page on the site. You are logged in at Step 1.
That's easy to fix, you simply add a yes/no field like "Approved" into the users data type after the verification step, and do a condition on every page of the app "when page load" that takes them out or log them out if this "approved" field is no
Hey @@Tristanyway why would you want the approved status reseted? if they did their account right and they get access, the only reasons I would change that is if they cancel the service and stop paying in which case I would create a workflow to change the approved status to "No" as they clic on the cancel button, otherwise I see no reason for doing that
@@Cocoodla hi, No, I meant how do we make sure that the Approved field in the data type is reset on every login, because if after 1st 2fa verification the user is considered as approved in the DB, then they can technically bypass 2fa by just being logged in login form and access directly content as the db considers them as still approved.
@@Tristanyway Oh ok, no the verification is only done when they create the account, once the account is created and verified they don't need to verify again, they simply login with their account, on the other hand if they failed to verify their account then the "approved" field stays as "No" and they won't be able to login until verified, you can add workflows on page load that logs them out if the "approved" field is No and etc.. Idk if that's your question, otherwise I'm not getting it
Hi Gaby, Tyree here. I've added this feature to my sign-up and login. Besides strengthened security, it also adds a, sort of, polished attribute. Love it.. thank you! Say hi to Kristen please. Warm regards
I don't think this is right. It logs the user in too soon, allowing the user to bypass the 2-step verification if they surf directly to the other page. I think the proper approach is a first page that only asks for email. This page sets the 2-step verification login code and time. It then brings second page that asks for the 2-step login code and the password. If the user enters both of these correctly, then they are logged in. This should fix the security hole created by the video.
Hi Gabby. the issues i am having is that when i try to resend the code nothing changes on the database. and the previous code just stays same. how do i rectify this?
Thanks Gaby for this great tutorial , when do you think any user will need this 2 step verification ? it will be annoying to use every time user try to login !! how can i make this option display if i clear the history or if the user login for the first time after enable the 2 step verification code ? or do you suggest to make a condition if the user login from different country ? please advice
Hi Hassan, great question! It's used for an extra layer of security when logging into accounts. Many sites that require a login offer it these days (for example, Gmail and banking sites). When you show the 2-step login is completely up to you. You can either show it every time the user logs in, or you could save a date 30 days in the future so that they have to use it every 30 days. There are other options as well. If you want to work in your app together, I suggest booking a workshop at coachingnocodeapps.com/the-sprint-method
Hey there - I just replied to your other comment asking about night & day. The full template is available here: bubble.is/template/night--day-dashboard-1483230673689x173910766879768580. Thanks!
Hi Gaby! Thank you this gave me a idea that i am working on. I am new to Bubble an was thinking about how would you have a new user create an account but then they would need to enter there account number and say zip and then that links to an account that was already in the database with their account info? Have the concept in my head but trouble with building the workflow? would love a video on this or tips.
Gaby! Great tutorial. Can you help me understand what this does for user enumeration? More specifically when a user attempts to log-in with an incorrect username (username that does not exist), what is served from Bubble?
thank you for the tutorial! i afraid that this workflow is problematic, because you logged the user first, and if he changes the url, he could bypass the verification code page and go whatever he wants!
@@navneetmishra5349 what i have done: i created a backend workflow that creates the code and send the code to the user's phone (i find the user without login the user, with "do a changes to" without doing any changes, it just search the user, then i could refer it and pass it to the backend) then in the front end i log the user in if the code is equal and in the time frame. the only disadvantage is that i must expose the code to the front end (i couldnt conceal it in privacy rules)
Thanks for the tutorial! Unfortunately, I'm running into a problem. The verification code is not visible in the email. The email displays everything except the result of step 2 verification and verification expiration even when I don't generate a random string and manually type in a code to send in the email.
How about if i want to do this as a verification upon a user's signup instead of login? Can this wok the same as well? Im trying to create an mail verification upon signup on my app. While i've read that bubble has its own email confirmation, unfortunately i dont understand how to get it to work. Watching your guide, however, is easier and made me wonder if i can apply this for the workflow of "Sign the user up" aside from login
HI I have one query. How can we able to check individual text field for a single validation. Example if 6 digit to be validated from each one one digit number or a code (Text).
Hi Keith, those are the fields I had created for the User type beforehand. You can see at 1:55. You can either create the fields you need from Data > Data Types or directly from that Create New Field option you mentioned when selecting a value.
@@KANDL95 It sounds like you're not navigating to the right data type initially if you're not seeing the fields. The part of the expression directly before the field value should be of the data type you need. For example, if you're looking for a User's first name, then it would be something like Current User or Search for Users :first item. Those values represent a user record, so a compatible continuation of that expression would be the list of fields for the User type.
Hey Gaby, nice workflow. But it's not 100% save, is it? The user is already logged in after typing in email & password, right? So when they already have a page link from my app, they could just go there instead of typing in the verification code. Or am I missing something here? My solution would be a status in the User like "verification passed" as a bolean (yes/no field) and only when this is field is true I'll make the content on the other pages visible. So I would need to adjust my other pages as well with this 'if-function'/conditional showing. And I would need a logic that this status sets to no after some time/logging out. Is this right?
Hey there, we have a Twilio webinar in our VIP Membership. You can check that out here if you're interested in joining: coachingnocodeapps.com/vip-membership
Im trying to understand where to start and what platform to use. I know what I want and what features I need im looking for a private social media style layout with a user login thats has the ability to upload video, pictures, text. Does bubble have these abilities?
@@coachingnocodeapps Thanks, still a newbie😜😎. Im looking at using merchandise qr codes. Im sure bubble has that capability. Trying to figure out what would be necessary. What would be some topics I need to look up, so I can start learning?
Hey there! We have a lesson on getting started with Twilio in our VIP Membership (coachingnocodeapps.com/vip-membersip). It's not specific to 2fa, but will give you context on working with Twilio.
Hi Julia, we're happy to see whether we can help you out! I can't say what's going wrong for you without seeing your app, but you're welcome to check out our resources for getting help with your app: coachingnocodeapps.com/resources
Hey, Im Building a Webapp and want to Build Premium Features for paying customers. How can i do this? I thought in Building groups and Five acecess to Special Pages just to this User Group. Sadly i have no idea where to start. Maybe you Could help out?
Hi there, I'm actually publishing a lesson for this in the Coaching No Code Apps VIP Membership area. You're welcome to check that out here: www.coachingnocodeapps.com/vip-membership. I hope it helps!
I'm a VIP member but can't find this topic. Can you let me know what I should search for? Or if you haven't uploaded it yet, can you let me know when you will?
This tutorial is great, except that it does NOT require you to enter the verification code to login (as other commenters here have pointed out). As soon as you enter your email and password, you can go to any page on the site. You are logged in at Step 1.
That's easy to fix, you simply add a yes/no field like "Approved" into the users data type after the verification step, and do a condition on every page of the app "when page load" that takes them out or log them out if this "approved" field is no
@@Cocoodla how do you make sure the approved status is reset after reasonable time?
Hey @@Tristanyway why would you want the approved status reseted? if they did their account right and they get access, the only reasons I would change that is if they cancel the service and stop paying in which case I would create a workflow to change the approved status to "No" as they clic on the cancel button, otherwise I see no reason for doing that
@@Cocoodla hi, No, I meant how do we make sure that the Approved field in the data type is reset on every login, because if after 1st 2fa verification the user is considered as approved in the DB, then they can technically bypass 2fa by just being logged in login form and access directly content as the db considers them as still approved.
@@Tristanyway Oh ok, no the verification is only done when they create the account, once the account is created and verified they don't need to verify again, they simply login with their account, on the other hand if they failed to verify their account then the "approved" field stays as "No" and they won't be able to login until verified, you can add workflows on page load that logs them out if the "approved" field is No and etc.. Idk if that's your question, otherwise I'm not getting it
Hey Gaby, This is great! Keep them coming. I love how you explain the build!!
Thanks so much, and I hope they're helpful for you!
Awesome, quick video. Perfect! I’m watching daily now.
Wonderful! That's great to hear!
Hi Gaby,
Tyree here. I've added this feature to my sign-up and login. Besides strengthened security, it also adds a, sort of, polished attribute. Love it.. thank you! Say hi to Kristen please.
Warm regards
That's awesome to hear, Tyree! I hope you're doing well!
This is a complex thing but is well explained and the implementation is great.
I'm glad it was heplful!
Thanks Gabby !, your effort to make such incerdible videos makes you special.
I'm so glad to hear that!
great explaination mind blowing awesome fantastic superb marvelous
I hope it was helpful, Harpreet!
I don't think this is right. It logs the user in too soon, allowing the user to bypass the 2-step verification if they surf directly to the other page.
I think the proper approach is a first page that only asks for email. This page sets the 2-step verification login code and time. It then brings second page that asks for the 2-step login code and the password. If the user enters both of these correctly, then they are logged in. This should fix the security hole created by the video.
Hey Scott! There are lots of ways you can set it up if you understand the fundamentals of the process!
@@coachingnocodeappsWell, yes except that one way is secure and the other one, the one proposed in this video, introduces a major security flaw.
@@ScottSchlimmer not really
@@flxoricss9095 No no....it completely does.
where would you store the the login codes? custom states?
Great video Gaby, Thanks!
I hope it was helpful, Pedro!
Hi Gabby. the issues i am having is that when i try to resend the code nothing changes on the database. and the previous code just stays same. how do i rectify this?
Thanks Gaby for this great tutorial , when do you think any user will need this 2 step verification ? it will be annoying to use every time user try to login !! how can i make this option display if i clear the history or if the user login for the first time after enable the 2 step verification code ? or do you suggest to make a condition if the user login from different country ? please advice
Hi Hassan, great question! It's used for an extra layer of security when logging into accounts. Many sites that require a login offer it these days (for example, Gmail and banking sites). When you show the 2-step login is completely up to you. You can either show it every time the user logs in, or you could save a date 30 days in the future so that they have to use it every 30 days. There are other options as well. If you want to work in your app together, I suggest booking a workshop at coachingnocodeapps.com/the-sprint-method
Great video Gaby, Thanks! Would love to see how you would make this feature a user option.
Thanks for the suggestion, Philip - that's a great idea!
Great Video gabby can u tell me how to make a night and light mode reply to this
Hey there - I just replied to your other comment asking about night & day. The full template is available here: bubble.is/template/night--day-dashboard-1483230673689x173910766879768580. Thanks!
u would do in user data: 2fa? yes/no and then the only when is workflows i.e. send email only when current user's 2fa is yes
Can this be used with auth0? So can it be an extra step prior to posting back to auth0?
Can this also be used if 0auth is hooked up?
Hi Gaby! Thank you this gave me a idea that i am working on. I am new to Bubble an was thinking about how would you have a new user create an account but then they would need to enter there account number and say zip and then that links to an account that was already in the database with their account info? Have the concept in my head but trouble with building the workflow? would love a video on this or tips.
I followed each step but when I click continue nothing happens
Is it possible to execute the verification without using a button?
Gaby! Great tutorial. Can you help me understand what this does for user enumeration? More specifically when a user attempts to log-in with an incorrect username (username that does not exist), what is served from Bubble?
thank you for the tutorial! i afraid that this workflow is problematic, because you logged the user first, and if he changes the url, he could bypass the verification code page and go whatever he wants!
that's the issue I am facing with this approach.
@@navneetmishra5349 what i have done:
i created a backend workflow that creates the code and send the code to the user's phone (i find the user without login the user, with "do a changes to" without doing any changes, it just search the user, then i could refer it and pass it to the backend)
then in the front end i log the user in if the code is equal and in the time frame.
the only disadvantage is that i must expose the code to the front end (i couldnt conceal it in privacy rules)
This is explainable, but I will like to do a SMS OTP verification. What step would I add to this?
is it possible to make a google authenticator type page? Where the code keeps changing as the timer elapses in real time
What if someone instead of writing verification code just jump to another page? Because in your workflow current user is already loggedin?
Hey there! You'd need to create workflows on your pages or a reusable element to prevent users from skipping over verification
Yes, this is a major security flaw. This video does not create a secure multi-factor authentication. I can't use this on my app.
@@ScottSchlimmer all u need is. do every one second when current users 2fa complete is no, go to page index
Thanks for the tutorial! Unfortunately, I'm running into a problem. The verification code is not visible in the email. The email displays everything except the result of step 2 verification and verification expiration even when I don't generate a random string and manually type in a code to send in the email.
How about if i want to do this as a verification upon a user's signup instead of login? Can this wok the same as well?
Im trying to create an mail verification upon signup on my app. While i've read that bubble has its own email confirmation, unfortunately i dont understand how to get it to work. Watching your guide, however, is easier and made me wonder if i can apply this for the workflow of "Sign the user up" aside from login
HI I have one query. How can we able to check individual text field for a single validation. Example if 6 digit to be validated from each one one digit number or a code (Text).
can we do with OTP verification ?
Gabby, I'm not getting the options at 2:06. I just get New Create a new field
Hi Keith, those are the fields I had created for the User type beforehand. You can see at 1:55. You can either create the fields you need from Data > Data Types or directly from that Create New Field option you mentioned when selecting a value.
@@coachingnocodeapps Thats the problem. I had created them but they don't appear. My other users but not the database I want
@@KANDL95 It sounds like you're not navigating to the right data type initially if you're not seeing the fields. The part of the expression directly before the field value should be of the data type you need. For example, if you're looking for a User's first name, then it would be something like Current User or Search for Users :first item. Those values represent a user record, so a compatible continuation of that expression would be the list of fields for the User type.
@@coachingnocodeapps Idk what is going on. I did everything right. Its not giving me the options I need.
@@coachingnocodeapps NM. I found it. Thanks Gabby. I thought that the default user was of generic use. Now I see.
great video! how would I make it so that it regenerates every 5 minutes?
Hey there, use a recursive backend workflow
Hey Gaby, nice workflow.
But it's not 100% save, is it? The user is already logged in after typing in email & password, right? So when they already have a page link from my app, they could just go there instead of typing in the verification code. Or am I missing something here?
My solution would be a status in the User like "verification passed" as a bolean (yes/no field) and only when this is field is true I'll make the content on the other pages visible. So I would need to adjust my other pages as well with this 'if-function'/conditional showing. And I would need a logic that this status sets to no after some time/logging out.
Is this right?
You are correct. This will login the user and if they know another page they can navigate there anyway.
i have a lot of questions ,
how to add message functionality?
Hey there! I would actually suggest checking out our VIP Membership for this - coachingnocodeapps.com/vip-membership
do you have tutorial on how to verify using SMS?
Hey there, we have a Twilio webinar in our VIP Membership. You can check that out here if you're interested in joining: coachingnocodeapps.com/vip-membership
Im trying to understand where to start and what platform to use. I know what I want and what features I need im looking for a private social media style layout with a user login thats has the ability to upload video, pictures, text. Does bubble have these abilities?
Yes, you can build all that on Bubble ✅
@@coachingnocodeapps
Thanks, still a newbie😜😎.
Im looking at using merchandise qr codes. Im sure bubble has that capability. Trying to figure out what would be necessary. What would be some topics I need to look up, so I can start learning?
Is there a tutorial how to make it work with twilio and sending code via sms?
Hey there! We have a lesson on getting started with Twilio in our VIP Membership (coachingnocodeapps.com/vip-membersip). It's not specific to 2fa, but will give you context on working with Twilio.
Can you help me to get verification code please?
Hi Julia, we're happy to see whether we can help you out! I can't say what's going wrong for you without seeing your app, but you're welcome to check out our resources for getting help with your app: coachingnocodeapps.com/resources
Hey, Im Building a Webapp and want to Build Premium Features for paying customers. How can i do this? I thought in Building groups and Five acecess to Special Pages just to this User Group. Sadly i have no idea where to start. Maybe you Could help out?
HI want to send a OTP SMS text to verify phone number before collecting email and first and last name any ideas on how to do this
Hi there, I'm actually publishing a lesson for this in the Coaching No Code Apps VIP Membership area. You're welcome to check that out here: www.coachingnocodeapps.com/vip-membership. I hope it helps!
I'm a VIP member but can't find this topic. Can you let me know what I should search for? Or if you haven't uploaded it yet, can you let me know when you will?
@@PhenomenalCode hey there! It'll be uploaded soon, and I'll send you an email with the link once it is. Thanks for checking!
Thanks Gaby! Looking forward to it.