How do programs with 2fa enabled keep track of the 2fa code, since it changes in a short time span and there’s many different ways / apps to generate said code?

590 views

[ad_1]

How do programs with 2fa enabled keep track of the 2fa code, since it changes in a short time span and there’s many different ways / apps to generate said code?

In: Technology
[ad_2]

The number of different ways to generate a code is irrelevant – you just generate one and send it to the user, while storing it at the server level with an exipry time. The user then has to use the code within this time.

The programs have a set of numbers called a “seed” that arr specific to a certain account. You can take that seed then and run it through an algorithm that will give you a set of alphanumeric characters that can be displayed and changed every so often and because both devices have the same seed they will get the same result once the calculation has been run. As a result you can enter the number to the website or program and it basically tells them that yes, I have control because I have access to the only other copy of the seed matching this account.

This is the basic simple explanation as I’m sure someone could better or deeper explain it than I can.

The code itself is generated from a secret key that is shared between both the device (phone?) and web site. If your phone scanned a QR code during 2FA set up (which is what Google did for me) that code was transferred to your phone.

The login code generator takes the secret key from the QR code, and the current time in multiples of 30 seconds, and generates a code from that. As long as the web site and your phone’s clocks are synchronized, you’re good.

This question is unclear. It seems to point at certain kinds of 2FA, which is otherwise a very unspecific concept, but does not state what a “program” is. Some answers seem to refer to certain ways of 2FA, but need even more context.

All computers and devices use the same universal time code, it doesn’t matter where you are the time is the same. This time is nothing more than counting every second that has passed since 1 January 1970 00:00:00. You can see the current time here [https://www.unixtimestamp.com/](https://www.unixtimestamp.com/).

When you set up 2FA the server shares a secret with you, this is just random characters (nHCg8Pn42MiKBE).

Both you and the server do some math with the universal time and the secret and it generates the 6 digit code. Both do this every 30 seconds.

The offline token is only generated by same algorithm as the servers token using the device’s current time. The token is valid for a span like 2 minutes. All devices are time sybced. Same input, same algorithm m, means same output.