i am figuring out what’s a good way to implement an authentication layer for Stripe, on a website running on Kirby:
the website has a subscription option, managed by Stripe; i need to add an option to allow users change their subscription options.
to do this there must be an authentication layer to verify that the email you fill in to change options for that customer account on Stripe, does belong to you.
my first idea was to use a simple one-time-password mechanism, where an email is sent to the subscriber with a temporary code that must be fill out on the website, before clicking
Submit and tell Stripe this user is in fact who they say they are.
this would work, but i feel it’s not particularly robust, as it is the only authentication mechanism put in place, and using emails means plain-text. usually people suggest to use an app for this, like Authy, where you scan a QR code at the beginning and then you receive the pin code on your phone directly. this would be better in fact, but it requires users to download an app and set it up as a necessary step.
one way to use kirby would be by creating user accounts on it and set password for each of them, and then apply the OTP email mechanism for “double” security, but somehow we tried to avoid to make users create yet another password.
what do you think? anyone had already any experience with this?