
Two-factor Authentication with Rails - tortilla
https://moocode.com/posts/2-two-factor-authentication-with-rails
======
tptacek
This uses rand() to generate a one-time authentication code. rand() is
insecure; you should assume that an attacker can set up conditions where its
output is predictable. Use ActiveSupport::SecureRandom instead.

Also, why does this implementation needs its own special cookie? Why not just
do the (minimal) housekeeping this requires in the Rails session? Magic
cookies are usually a code smell.

------
moomerman
Thanks for the tip on rand() will update the code.

This uses another cookie because it is permanent. The standard rails session
cookie ends at the end of the session so isn't acceptable here.

