As a user, I can phone number and the SMS verification code to sign in, in order to more easily log on to me.
Security acceptance criteria:
Message codes valid for two minutes
codes for the six pure digital
each phone number can only send one message authentication code within 60 seconds, and this rule checking must be performed on the server side of
the same phone number can be at the same time a plurality of valid message authentication code
stored in the server authentication code, at most can be used three times (whether in the request and the authentication code matches), then immediately canceled to prevent brute force attacks
message authentication code is not directly recorded to the log file
transmission before SMS verification code, verification code to verify whether the correct graphics (optional)
integrated third-party API to do login protection (optional)