Which practices should i use while generating SMS codes for auth on my project?


Let’s imagine that we have an SMS verification auth, and using random 4-digit codes, i.e. 1234, 5925, 1342 and etc.

I’m using this random inclusive algorithm on my node.js server:

function getRandomIntInclusive(min, max) {     min = Math.ceil(min);     max = Math.floor(max);     return Math.floor(Math.random() * (max - min + 1) + min); //The maximum is inclusive and the minimum is inclusive  }  const another_one_code = getRandomIntInclusive(1000, 9999); 

taken from https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Math/random

Seems i have range from 1000 to 9999 and have some questions about security:

  1. I’m using good algo? Maybe i need to use something better?
  2. Will it increase security if i will check previous sent code for {$ n} last minutes from db and regenerate another one if it will be same (brute same code twice case), so user always gets random 5941-2862-1873-3855-2987 without 1023-1023-2525-2525-3733-3733 case? I understand that chance is low, but anyway…

Thank you for answers!