Two factor authentication is so important in the modern internet. As far as I know, it makes it extremely difficult to hack into an account, even if you have the password. But how does it work? How does this random website know that I’ve entered the temporary code from my authenticator app correctly?
Like, 2fa with email or text is simple, but how, specifically, do the authenticator apps on phones work?
In: 5
[deleted]
Your phone (or in prior times, a separate device the size of a lighter) is running an algorithm that spits out pseudorandom numbers at set intervals of about a minute or so. To break that down, it’s not *really* generating random numbers, it just appears random because the outside observer doesn’t know the initial conditions used to set it up. Only the phone app and the authenticating body know how that pseudo random number generator is set up, so if the number the phone generates matches the one in the company’s servers, that’s the authentication.
Obviously, this falls apart if someone steals or clones your phone, or otherwise knows how to duplicate the number generator and settings, but it’s still one more hurdle that your average hacker needs to overcome. Given that most hacks aren’t *targeted* hacks against a specific individual, it’s not worth it to them to try and breach an account with 2FA, so they’ll go hunt easier prey.
The ideas is that both sides already know both a “secret” key and the current time.
taking advantage of that information, a 6 digit code is created using a combination of the two. The website can then verify the entered code against expected code(s)
The app and the website have a shared secret key. They use the secret key and the current time to generate the temporary code. The temporary code can be generated the same way on both side and your input can then be compared to it.
The secret key is generated when you set up the two-factor authentication and both the phone and the server have it.
When you created the 2FA method, the server generated a secret. That is the thing that is shared via a QR code with your phone.
Then your phone runs a predetermined algorithm that takes the secret and the current time and produces a code. The server can also take the secret and the current time and compare the value. If you were able to provide the value that is correct for the current time, then you must have the device that the original secret is on.
The code used by an app (or a hardware token, for that matter) isn’t random – it’s maths.
Let’s say, for instance, that the bit of maths is:
* Take the time in seconds since a certain date
* Multiply that time by some number known both to the app and the website
* Take the last six digits of that result – and that’s your code
Provided the website and the app both have the correct time, they’ll come to the same answer. The actual maths is going to be a bit more complex than what I’ve mentioned, but principle is the same – do the same sum, and you should get the same answer which means you can check if the person who’s entered the code is who they say they are.
While setting up 2FA, website gives you code which we give it in authenticator app. Now both website and our app has this common code. When we try to login Authenticator will generate codes based on current time and website can also verify the same code based on current time and validate that given 2FA is correct
Latest Answers