login

Multi-factor authentication

Galarza TimOur Blog

Let’s take a look at what happens when an authentication request is made using two factors of identification.

User: Going to the website and entering a username and password

The authentication server:
Ah, it’s you again, bobbysmith3! Let me check if your password matches the one I have.

Authentication server:
Well, it checks out. But I’m still skeptical. I’m sending a code to the phone number I have on file. Please enter the code as soon as you receive it.

User’s phone number: DING!

User: receives the text message and enters the code

Authentication server:
The code matches! Since you have the password and phone number bobbysmith3 handy, I’m sure you are indeed bobbysmith3! Welcome!

One of the most common forms of multifactor authentication is a username and password combined with something sent to your device or account.

For example, you may have logged into an app with your username and password and then received a text message or email with a code that you must provide to the app to authenticate. This code is called a one-time password (OTP).

The process of authenticating a user with a username/password and OTP is the same as above, but there is an additional step – the authentication server must send the OTP to the user’s registered device and verify that the code is correct.

To do this, the authentication server must perform the following steps:

  • Generate the OTP.
  • Send it to the application the user is trying to log in to.
  • When the application sends the one-time password sent by the user, make sure it is correct.
  • If so, the user is authenticated.
  • If not, return an error and allow them to re-create another OTP. To prevent brute force attacks, there should be a limit on how many times a new OTP can be requested before the user is locked out.

With this additional requirement, an attacker’s attempt to fake their identity is significantly slowed down! Let’s go back to the question that was asked about one-factor authentication with username/password.

What happens if someone finds out your password?

In this case, simply having someone’s password is not enough. The attacker must also access the real user’s OTP to verify their identity.

As you can see, multi-factor authentication significantly reduces the likelihood of an attacker impersonating a user.

Read More