Hi! I was doing some webdev yesterday and needed to clear my cache and cookies for the first time in a long time, which prompted me needing to log into all the save sites from previous session. Most of them require 2FA and it got me thinking how does it actually work?
For security I assume there isn’t a token saved next to the user’s ID or password. Or is there something in the QR code you scan originally to add it to the app?
I kind of gather SMS 2FA is a code that is saved with an expiry, same is when emails send links to your account and an expiry for the link. But codes that expire every 30 seconds it seems like thats a lot of database rewrites.
In: Technology
It’s a code on a timer that is both unique to that device and combined with something unique to your account. If you give that to the server it’s easy for it to undo the math for the device registered to you and get the identifier that belongs to you.
Latest Answers