I am dealing with sensitive data in my webshop and customers will sometimes have to enter health care information when ordering products.
Therefore I need to make sure that the person logging in is in fact that person, and I would therefore like the customer to have to enter a random code sent to their email after every login to verify that they have access to their login-email before they are able to proceed to the order section or view their order details (which for some products may contains sensitive data).
- customer logs in to their customer account with their e-mail and password.
- customer receives a code via e-mail, and have to enter it to proceed.
- customer is logged in and can view their orders containing sensitive data.
If they fail step number 2 they are not allowed to view their order and have not successfully logged in.
To complicate it a bit more, I would only like the customer to to do this if they have order one of two products. if their order does not contain one of these two products they should not have to go through the steps outlined above in order to view their order details (or log in to their account).
Is anyone able to help or have anyone done anything similar?
PS! I am also open for SMS verification instead of e-mail if that makes it easier