This article aims to highlight what authentication is and why you should use Multi-Factor Authentication. We will start by defining authentication, then discuss the single factor version, as well as not only explore the process of, but convince you to use, Multi-Factor authentication (MFA). As we go, I will speak briefly about MFA’s inner workings which I had the opportunity to develop and then present during my company’s hackathon.
What is Authentication
Authentication is the process of proving to a party that you are who you say you are. In day to day life, that may be providing your passport at the airport so the TSA can verify you are the person listed on the ticket. In the context of a website, you need to authenticate in order to prove you are the owner of the account. Websites can’t see you in person to authenticate, so the internet leans on the Password Authentication Protocol as the de facto form of authentication. Others may know your username, but you always keep your single factor of authentication, the password, hidden.
Introducing MFA and 2FA
Multi-Factor Authentication (MFA) involves presenting 2-3 factors when authenticating, between something you know, say a password, something you have, a mobile device or wristband, and/or you, biometric identifiers such as fingerprint or face identification. The goal of Multi-Factor authentication is to allow users to further secure their accounts. Two-Factor authentication (2FA), is a subset of this which involves presenting two factors, in this case a password and a code from your phone. As mentioned above, by default, most folks on the internet use only a username and password to login. If that password is compromised, the user’s account could be locked or stolen without their consent.
A password is susceptible to Brute-force attacks by a malicious computer user’s software which can potentially guess upwards of a thousand passwords per second. These attacks result in the news we often see today; password breaches occurring regularly. Humans tend to be bad at making passwords either because they are too short, too easy to guess given some basic personal information about them, et cetera. Additionally, a malicious user may have a leaked password list from 100m+ users or more, with the passwords analyzed and sorted in most common order. With Multi-Factor authentication knowing a username and password is not enough to authenticate into your account anymore.
To begin, let’s say we have two groups:
The User: the person who is trying to login
The Company: whose website the User wants to login to: Netflix, Google etc.
MFA, specifically the 2FA version, requires two pieces to authenticate: The User’s password and a time-based one-time password (TOTP). The TOTP is the second factor that the User will need to enter in when authenticating. The main benefit of TOTP is that if a malicious party gains accesses to your password, they won’t be able to gain access into your account without the TOTP.
A TOTP is different often, changing depending on what time it is. This makes it incredibly hard to guess, because, as each time window passes, the malicious party would have to restart their initial password guesses with a new TOTP.
How does it work and how is a TOTP created?
All TOTPs are created based on a secret seed phrase that the Company shares with the User usually once and only once. This process occurs when the User elects to add another factor of authentication onto their existing account. After the User elects to have this extra layer of authentication added, the Company will generate this secret seed and send it back to them. (Hopefully) The company will store the secret seed generated for each user encrypted within the database. They will retrieve and decrypt this later when they need to verify a TOTP code sent by the User.
A QR code with an example embedded secret seed that your mobile device can scan.
How this works in practice is the User will elect to enable Two-Factor authentication on the Company’s website, next the Company will generate a secret seed for that user, finally, they will communicate the secret seed back to the User via a QR code. This QR code contains the seed along with the name of that User’s associated account encoded into the picture. The User will scan this QR code with an Authenticator App which will decode the qr code into the account name and secret seed. Let’s say this is the secret seed that gets shared:
Shared TOTP Seed: 😄😊😉😚😜😝😳😁😣😢😂😭😪😥😰😩…
As the length of a secret seed phrase or password increases, it can exponentially increase the difficulty of guessing it via brute force. In order to use TOTP with Google’s Authenticator, the secret seed must be sufficiently large. Let us assume the above complex millennial phrase is adequately long, so no one, or computer can guess it.
Once the TOTP is fully setup, the Users login process will have an extra step. After they enter their password succesfully, they will be prompted to enter a TOTP code from their authentication app.
This code is derived from the shared seed mentioned earlier. This six digit code is a function of the current time + the shared seed. These two parameters are fed into a cryptographically secure hash function and the result is truncated to six digits. The User’s Authenticator app will do this magic behind the scenes and display the resulting six digit code to the User. This code is entered into the company’s prompt above.
In a few moments, the Company receives the TOTP code, looks up the current time and then retrieves and decrypts the shared seed for that particular user. Same as before, the Company feeds the shared seed and the current time into the hash function and truncates it down to six digits. The resulting code is then compared to the one the Company received from the User. If they are the same, then the User is logged in and redirected to the home page. If not, they are denied access.
A common question in regard to this process is:
If the password is changed every second, then what if the time between when the User sends the TOTP and when the company receives it is sufficently large enough such that the Company’s generated TOTP is different?
TOTP uses a standard window of 30 seconds per code. So every 30 seconds your TOTP will change. The time parameter we feed into the hash function is the result of taking the total number of seconds since the unix epoch, dividing it by 30 and rounding it down. On top of this initial leeway, the Company will sometimes check the User’s provided TOTP code against the TOTP code for the current 30 second window and the previous 30 second window.
Summing it up
In this article we talked about what Authentication is as well as the various forms of authentication that are accepted: something you know, something you have, and you. We discussed some of the many reasons why single factor-authentication is not sufficient enough and why MFA and 2FA are great solutions to this problem. Finally, we delved into some of the inner workings of 2FA taking place between two parties, a User, and a Company, in a given time-window, using the time-based one time password algorithm.
References and further reading
Some great articles and references by Fred Wilson, Union Square Venture’s VC who also invests in my employer, WorkMarket:
The RFCS for those who want to understand the technicalities, RFC’s (Request for comments) propose and describe internet standards and protocols:
- RFC 6238 TOTP protocol explanation
- RFC 4226 HOTP, the protocol TOTP is based off of, TOTP uses time hashed with the shared secret, where HOTP uses a counter value that increments each time the User tries to authenticate, starting at 0, 1, 2, 3 and so on.
Paper on rolling out U2F (a form of MFA) at Google compared against TOTP: