How does 2FA codes work?

911 views

Hi! I was doing some webdev yesterday and needed to clear my cache and cookies for the first time in a long time, which prompted me needing to log into all the save sites from previous session. Most of them require 2FA and it got me thinking how does it actually work?

For security I assume there isn’t a token saved next to the user’s ID or password. Or is there something in the QR code you scan originally to add it to the app?

I kind of gather SMS 2FA is a code that is saved with an expiry, same is when emails send links to your account and an expiry for the link. But codes that expire every 30 seconds it seems like thats a lot of database rewrites.

In: Technology

4 Answers

Anonymous 0 Comments

Depends on the 2FA solution we are discussing.

SMS 2FA is easy – provider generates a code and sends it to you SMS. You then have X seconds to enter the code on the website/app or the code is invalid. If the code matches, you are granted access

Token based 2FA involves some tech beyond an ELI5, but the gist is that you are given a token by the website/app. This token tells your 2FA client how to generate one time 2FA codes. The app uses the token and the current time to generate a specific code which is put into the website/app. Since the website/app knows the token it gave you and the current time, it can validate that the code is correct. There aren’t any database writes because the code generation and validation is done one demand.

You are viewing 1 out of 4 answers, click here to view all answers.