00:00 Okay, it's time to actually verify the two-factor authentication code. So, if I go to my profile here, we've got our two-factor authentication is enabled. So, if I log out and go to login, Cody, Cody loves, well, Cody loves you,

00:18 then it should ask me for my two-factor authentication code. If I generate that here, then we'll paste that here and submit and I should be able to log in. So, let's talk about how this technically works from a flowchart level. So, you might remember this from our last exercise. So, the user enables two-factor authentication.

00:37 Once they do that, let's say that they log out. In the logout process, we unset the session ID. That's how you log out. And so, then the user goes to login. So, we're going to check, does two-factor authentication exist for this account? If it doesn't, then we follow the old logic and everything's fine. But if it does, we're going to set an unverified session ID in the cookie.

00:56 So, we do want to, like, we're still creating the session, but we're going to put that in a special cookie that does not mean that they're logged in. It just is a persistent storage, a place to put the session ID for this user that the user is about to verify. So, we can put that in our verify session as part of one of the things that

01:13 needs to be ultimately verified, some of that data that goes with verifications. So, we set that and then the user goes over to the verify page where they can submit the code. So, they generate the code. And we verify that that code is accurate and correct. And if it is, then we will move the unverified session ID

01:31 into our regular session cookie, just like we do currently with the login process. And that is how we get the user logged in. So, there you go. That is the whole two-factor authentication flow. And that is what you're going to be working on in this exercise. I'm excited for you to go through this.

01:49 It is less scary than you think it is. So, have a good time and we'll see you on the other side.