How do I encrypt web content at server to decrypt on client browser

I have created a web server app and one of the things it does is send a text message to a known mobile number for a user when they login to the site.

Once the person is logged in I then ask them to enter the 8 digit pin number that they have been sent via text message which I want to store locally on the web browser (without it being returned to the server app).

Then every time the client displays a text box I need it to decrypt the text that has been sent by the server (which has already entrypted it with the pin) so that it appears correctly.

I realise that this will need some javascript etc and was wondering if anyone has done something like this or something I could use as a start point.

By using the above it means that the connection will be secure using SSL and the person would need the pin code (which changes every time they login to the site) so even if the pin code was obtained it would only be useful for a short period of time as the session automatically times out after 10 minutes of idle and can only be active for 3 hours before needing to login again.


I’m confused as to how this is more secure than just using SSL. Why not just add 2FA to your app and avoid all of this?

The problem is that you have to put a a script on the client side do to this and that is a big no no - you never disclose how you do something when it comes to security.

Thanks Greg, you are absolutely right, 2FA with SSL would work for what I am trying to do. I now need to look at the SSL supported by standalone Xojo web apps as I think something needs to be tweaked to make it support newer versions of TLS.

Uh… that’s wrong. Kerckhoffs’s principle is fundamental security rule that basically states that a system should be secure even when everything about the system (except the key of course) is known.

The best encryption tools out there are open source. In fact, here’s Xojo code for handling proper 2FA without weakening the system with a phone number: Open source, of course, if the url didn’t give it away.

These things are secure because they are known. It is far easier to do vulnerability testing on something when you have the source.