**Why**:
To provide an additional layer of security.
The TOTP spec (RFC 6238) recommends encrypting the keys.
http://tools.ietf.org/html/rfc6238
**How**:
Borrow the encryption code from the `attr_encrypted` gem and use it to
encrypt and decrypt the `otp_secret_key` attribute.
Allow users to add encryption by passing in `encrypted: true` to
`has_one_time_password`. This provides backwards-compatibility for
existing users of the gem.
See the README updates for more detailed instructions for both new
and existing users.
**Why**
In some cases, it might be necessary to run some code right after the user signs in, but before the OTP is sent, and also right before a user signs out.
For example, consider this scenario:
- The app requires the user to confirm their phone number before it gets saved. This confirmation is done by sending an OTP to the phone and asking the user to enter it.
- User mistypes the number, then closes the anonymous browser window, or signs out before confirming
- User signs back in, and OTP is sent to the mistyped number. User is now unable to fully sign in since the OTP is being sent to the wrong number
In order to prevent this scenario, we need to be able to reset the `unconfirmed_mobile` to nil before the OTP is sent, and before they sign out so that they can type it in again.
**How**
Allow the gem user to define an OtpSender class with a `reset_otp_state` method
Storing just request.path drops the query string which makes two factory
authentication less useful when the guarded page needs those parameters.
This brings the two factor authentication redirect behavior in line with
devise's.