Why 8-Character Alphanumeric Codes? | Building a Production-Grade Passwordless Authentication System

Security requirement

Authenticator app codes are usually a second factor. In this system, the OTP code is the only factor, so it needs dramatically more entropy.

The math

6-digit numeric: 10^6 = 1,000,000 combinations
8-character alphanumeric: 36^8 = 2,821,109,907,456 combinations

Why it matters

Brute-force attacks become computationally infeasible.
Rate limiting still matters, but the large keyspace adds defense in depth.
The OTP is strong enough to serve as primary authentication.

Storage model

Generate an 8-character code from A-Z and 0-9.
Hash the code with SHA-256.
Store the hash in userAuthAttempts.
Put only the auth attempt reference in the JWT.
Mark attempts as expiring and one-time use.

const codeHash = hashOTPCode(code);
await db.insert(userAuthAttempts).values({
  email: user.email,
  userId: user.id,
  codeHash,
  purpose: 'login',
  expiresAt: new Date(Date.now() + 15 * 60 * 1000),
  used: false,
});

Token verification

Verify the token shape before rendering the page.
Keep actual code verification on the server.
Avoid flashing authorized UI to unauthorized users.

export const Route = createFileRoute('/login-via-code/$token')({
  beforeLoad: async ({ params }) => {
    await verifyCodeVerificationToken(params.token);
    return { tokenValid: true };
  },
  component: LoginViaCodePage,
});