After a new registration, the user needs to confirm his/her phone number. The sent code should be valid for just 5 minutes and new codes can be regenerated once every 5 minutes.
The following code generates a new phone number code/token:
var code = await userManager.GenerateChangePhoneNumberTokenAsync(user, user.PhoneNumber);
and the VerifyChangePhoneNumberTokenAsync is used for verification.
Where is this code stored?
Does Identity have any timing fields or do I have to implement it myself?
According to the source codes, we could find the GenerateChangePhoneNumberTokenAsync will use the PhoneNumberTokenProvider to generate and validate the token.
The PhoneNumberTokenProvider inherit the TotpSecurityStampBasedTokenProvider, when it genreate or validate the token, it will firstly get the user's SecurityStamp.
This SecurityStamp is normally stored at the database and will generate the right security codes base on this SecurityStamp .