I am a Flutter developer using mobile number OTP for login/sign-in authentication, which leads to high costs due to frequent OTP sending. I want users to remain logged in unless they choose to log out and log in again. Since the app is in production, I need a secure solution for this.

I am a Flutter developer using mobile number OTP for login/sign-in authentication, which leads to high costs due to frequent OTP sending. I want users to remain logged in unless they choose to log out and log in again. Since the app is in production, I need a secure solution for this.

• android
• ios
• flutter
• authentication

Share Improve this question Follow asked Mar 25 at 16:08 Ragul PRRagul PR 17022 silver badges1111 bronze badges 6

• 2 Please read: android-developers.googleblog/2017/04/… – Morrison Chang Commented Mar 25 at 16:17
• 1 The answer would depend on the API's authentication mechanism. What does the API use? How are you logging in the user (do you have some Authentication service or maybe it's Firebase Auth)? Is it a JWT-based authentication system? What exactly happens when you are using OTP to sign in? – ParaPsychic Commented Mar 25 at 18:07
• Are you able to figure out why the users are not staying signed in? – Victor Eronmosele Commented Mar 26 at 0:56
• @ParaPsychic I'm using JWT-based authentication system – Ragul PR Commented Mar 26 at 4:15
• @VictorEronmosele I'm storing the token in localstorage, when the user uninstall the app. It will get erased. So eventually it will be in loggedout state when user installs the app. – Ragul PR Commented Mar 26 at 4:16

 |  Show 1 more comment

2 Answers 2

Sorted by: Reset to default 1

You need to save the user's device id information to the database. Only when they call the logout API will they log out, otherwise when you open the app, you check if the device id has been logged in on the database.

These are my suggestions in addressing:

OTP for login/sign-in authentication and costs concerns.

You may consider the following criteria:

1. Using device ID
2. Implementing shared_preferences or flutter_secure_storage
3. Enforcing one-time login, even after the app restarts. Except they choose to log out.
4. It is device-specific. So it varies if the user uses another device(s).

These are the steps you could use:

Upon sign-up or successful login:

You can collect their device ID (of course, disclose this to them in your data privacy agreement that you're collecting their device ID). Save it in your database.

After they restart your app or even reinstall, check their device ID, and if it matches. You may log them automatically (depending on your condition).

Probably you have to consider some business logic concerns (it's totally up to you or in your use case).

To read more: How to get unique device id in flutter?

Save the login session through shared_preferences or flutter_secure_storage

I strongly recommend using flutter_secure_storage because it offers more secure encoding of local data.

The logic is almost the same as using device ID, but the key difference are:

• You can use the client's device as an alternative database in enforcing authentication mechanism (but it could introduce security issues).
• It isn't applicable when the app data is cleared up.
• and it isn't applicable when the app is reinstalled.

Moreover, the code logic is pretty simple, if you're using go_router package, then, you have to implement the authentication logic in the initialLocation widget class path.

Where in the initState() method, you may validate whether the user is currently login or not (I bet there's other alternative approach, so I hope somebody will correct this or improve this part if it found necessary).

In terms of cost concerns, why wouldn't you implement a count limit per user OTP code request?

For example:

In a daily basis, they can request OTP code in a maximum of 5 or 10 attempts, and it resets tomorrow.

Or in an hour basis, where you may check if they're rushing the OTP code request attempts (e.g., 5 or 10 attempts) within one hour. They can request code after an hour cool down (or something what you called of it)

Always encrypt the user data such as device ID if you choose to collect it. Even the local user data (if it's retained to their device). Especially if it's a sensitive data.

EDIT: Addressing Currently Encountered Issues

Firstly, I'll quote:

I'm storing the token in localstorage, when the user uninstall the app. It will get erased. So eventually it will be in loggedout state when user installs the app.

You can apply a mechanism where if it doesn't exists or null, then you need to check another user-specific data such as user's device ID.

However, it isn't a good practice to automatically login the user based on a certain standalone data authentication. Why don't you add an alternative signing option?

Such as google_sign_in and local_auth, but seems I should recommend firebase_auth.

Because... Accoring the official documentation of Firebase Authentication

Firebase Authentication provides backend services, easy-to-use SDKs, and ready-made UI libraries to authenticate users to your app. It supports authentication using passwords, phone numbers, popular federated identity providers like Google, Facebook and Twitter, and more.

Therefore, you'll have these sets of authentication method:

• JWT-based authentication system
• Device ID
• OTP
• Google Sign-in (Recommended: Firebase Authentication)
• Biometrics
• I guess consider user name and password as well

I think these approaches would resolve the cost constraints and user authentication challenges.

I hope this helps!