We have an MVC application which we need to do some security check before we let user to start using system. The use case is below;
We have Company table which stores valid IP addresses(also range). And company has associated users. If a user logs in from an unidentified email address, we need to make sure that user is still working for corresponding company. Therefore, we use company email address to validate the user.
I have 2 ways to implement this;
1) Generate a token, and send a link with token as query string to the user, when user clicks on this link, I will validate the user for a certain period of time(1 day)
2) Sending user's email a 6 digit number when user successfully logs in, and ask user to enter that pin number. If the pin is valid, then validate the user.
I recently see many big companies using pin numbers and your mobile no. That made me think that the second method is more secure than the first one(I have no facts, only assumption). Is that true?
Which one of these methods is more secure? if non of them, what is the best way of implementing this use case.
Thanks