Secure Login: Unique Links & Date of Birth

TL;DR

This guide shows how to make logging in more secure by sending a unique link to each user’s email and asking for their date of birth as an extra check. This makes it harder for hackers to get into accounts, even if they have the password.

Improving Login Security

We’ll combine two methods: unique login links sent by email and a date of birth verification step. This is stronger than just using passwords.

Step 1: Generating Unique Login Links

1. Create a Token: When a user requests to log in, generate a random, unique token (a long string of characters). This token will be part of the login link.
2. Store the Token: Save this token in your database, linked to the user’s account and with an expiry time (e.g., 30 minutes). Include a ‘used’ flag set to false initially.
3. Create the Link: Build the login link including the token. For example:

   https://yourwebsite.com/login?token=abcdef1234567890

4. Send the Email: Email the user this unique link. The email should clearly state it’s a one-time login link and will expire soon.

Step 2: Verifying the Login Link

1. Receive the Request: When a user clicks the link, your website receives the request with the token in the URL.
2. Validate the Token: Check if the token exists in your database and hasn’t expired or been used already.
3. If Valid: Mark the token as ‘used’ in the database. Log the user in automatically (or present a confirmation page).
4. If Invalid: Show an error message to the user, explaining the link is invalid or has expired.

Step 3: Adding Date of Birth Verification

1. Collect Date of Birth: After the user clicks the login link (and *before* fully logging them in), present a form asking for their date of birth.
2. Verify Against Stored Data: Compare the entered date of birth with the one stored in your database during account creation. Be careful about formatting – store dates consistently (e.g., YYYY-MM-DD).
3. If Matches: Log the user in.
4. If Doesn’t Match: Show an error message and allow them to re-enter their date of birth. Consider limiting attempts to prevent brute-force attacks.

Step 4: Security Considerations

• Token Length: Use sufficiently long tokens (at least 32 characters) for strong randomness.
• Expiry Times: Keep token expiry times short to minimize the window of opportunity for attackers.
• HTTPS: Always use HTTPS to encrypt communication and protect the login link from interception.
• Rate Limiting: Limit the number of login requests from a single IP address to prevent brute-force attacks on both the token generation and date of birth verification steps.
• Database Security: Protect your database containing user data (including tokens and dates of birth) with strong passwords, encryption, and access controls.
• Input Validation: Sanitize all user inputs (date of birth) to prevent injection attacks.

Step 5: Example Code Snippet (PHP – Token Generation)

Step 6: Example Code Snippet (PHP – Date of Birth Verification)

date_of_birth;

if ($submitted_dob === $stored_dob) {
  // Log the user in
} else {
  // Show error message
}
?>