My web application is a test online store based on Spring framework in which I am trying to do user authentication by phone number using Twilio API to send a confirmation code on his phone number.
Should I generate a digit confirmation code in my web application using java.util.Random class to send it to the user's phone number? If it is not a good practice, how should I make it?
You should know that Random returns numbers that are not completely random, and thus using it for tasks that require a high level of security is not recommended. Instead, you should use SecureRandom or other methods.
Citing the Javadoc documentation:
Consider instead using SecureRandom to get a cryptographically secure pseudo-random number generator for use by security-sensitive applications.