So, I get that broadly the answer is “It’s an algorithm”, but I’d like to know more specifics if there are any.
For some websites/services, Two-Factor Authentication requires a (usually 6-digit) code to authenticate the user. This code changes frequently, usually every 30 seconds or so. The code generators for doing this are sometimes connected to internet/cell service, but they don’t have to be for a lot of authentication services.
I guess what I’m wondering is how a server is able to verify that my code of (for example, of course) 554-048 is now the code to authenticate my account, which I just obtained from a device that is not connected to any way of transmitting data, and that the previous code, 685-392 is no longer valid.
In: 4
When you register for app-based 2FA, you scan a QR code. That QR code essentially contains a giant password.
However, instead of ever transmitting that password back (because it could be intercepted in the process), you run that password through an algorithm, along with the current time (typically rounded down to 30 seconds). That algorithm will spit out a 6-digit number.
When the server checks, it will also compare the time + password (since it knows about it when you registered) using the same algorithm. If it matches, then you must have the original password, which means you have the original device you used to register.
Since the algorithm uses the current time, if anybody ever gets a peak at your 2FA app, those codes aren’t valid for very long, so it poses very little risk.
Latest Answers