![]() ![]() TFA/MFA clients that produce a ‘one time’ numeric code require a secret that they share with the server validating the authentication. If my phone bricks, is lost or stolen, I can still get access to my TFA-protected accounts if I can access any of those other computers, or any other computer on which I can install and run authenticator and access a copy of my accounts file. I keep a copy of the accounts file in a variety of places. Personally, I use both Google Authenticator on my iPhone and iPad, and run authenticator on several different computer systems. The benefit of using authenticator over a phone app is that this CLI utility can run anywhere Python 3.5 can run from a command line interface (e.g., a terminal window), and the database of accounts and secrets is a platform-independent passphrase-protected encrypted file that can be backed up and can be copied to multiple systems without fear of bad actors gaining access to the second factor authentication.Īnother benefit is that authenticator can act as a backup in case you loose your phone or tablet (running Google Authenticator) or Google breaks the app or withdraws it. It is a TOTP/HOTP client that can generate the numeric codes needed for authentication with sites that support Two-Factor Authentication (TFA) or Multi-Factor Authentication (MFA). As a rule, the step is chosen with a duration of 30 seconds, and an OTP is automatically generated in the application every 30 seconds.Authenticator is a CLI analog to the Google Authenticator phone app, or the LastPass Authenticator phone app. This algorithm is based on the previous one and uses a time step as a variable. Time-based One-Time Password Algorithm (TOTP) After the user used all the passwords from the list, he had to visit the bank office to get a new list. For example, a list of generated passwords provided by the bank was used to confirm access or transactions on a user's bank account. This algorithm is not very handy, but it was often used in the 2000s when there were no convenient applications. Thus, if an attacker intercepts the OTP code, he won't be able to use it again. ![]() If the server and the client know the secret key and increment the counter equally at each user input, the resulting code value will be the same, and an OTP will change at each input. The result of the execution is quite a long value, so the code is reduced to 6-8 characters for the user's convenience. HOTP: HMAC-Based One-Time Password Algorithm To keep the password constantly changing, we need to enter some variable and use it in the algorithm. Based on this key, we will generate the one-time passwords. The process of passing the secret key can be as follows: the user either scans the QR code or enters the secret key manually. To set up 2FA on the server, a secret key is generated and transferred to the user's OTP-generating application. The user then opens an OTP-generating application, such as Google Authenticator, and enters the generated code. The authentication process is illustrated in the following diagram:Īfter the user logs in with their username and password, one is prompted to enter an OTP. The main distinguishing feature of these protocols is that the server does not need to send an OTP to the user's phone or email. Let's take a closer look at TOTP/HOTP protocols and their implementation. If a malicious party has obtained your password through theft or guessing, they will not be able to access your account without confirming the second factor. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |