I would strongly recommend moving the authentication state away from client-side storage like localStorage
.
Client-side storage like localStorage
and sessionStorage
can be manipulated easily by users, which is why relying on them for sensitive information like authentication status is not secure.
My opinion, if you're starting, try implementing cookies
for 2FA AuthManagement
.
After successful completion of first layer authentication, set a flag
like 'is2FAPending'
and set it to true
in initialState
. This should be set in the backend cookies. Then redirect to the 2FA Page.
I don't know the backend technology you're using, but if you are using Express.js
, you can set the cookie
inside session()
.
You can refer this guide to setup:
https://www.geeksforgeeks.org/how-to-manage-sessions-and-cookies-in-express-js/
After successful completion of 2FA set the flag
to false
and redirect to a Protected Layout which sends a request and check the cookie/session
for the state
of is2FAPending == false/true
Hope this answers your question!