Hi! I was doing some webdev yesterday and needed to clear my cache and cookies for the first time in a long time, which prompted me needing to log into all the save sites from previous session. Most of them require 2FA and it got me thinking how does it actually work?
For security I assume there isn’t a token saved next to the user’s ID or password. Or is there something in the QR code you scan originally to add it to the app?
I kind of gather SMS 2FA is a code that is saved with an expiry, same is when emails send links to your account and an expiry for the link. But codes that expire every 30 seconds it seems like thats a lot of database rewrites.
In: Technology
The explanations already provided are plenty sufficient so I won’t beat a dead horse but I will add perspective. Working with a private company contracted with the DoD means I frequently need to log on to the company’s website but due to the nature of working in a secured environment where phones aren’t allowed, I’m not able to receive SMS 2FA codes so we get issued a hardware token. This has a pre-determined pseudo-algorithm which is linked with my account so based on the time of day, the code generated on the token is what the system is expecting when I initiate a logon. Since this doesn’t require a remote connection of any type, it’s allowed in the secured area (no transmissions occurring from the device).
Latest Answers