Two-factor authentication (2FA) has certainly been heard by everyone and many people use it when registering on a exchange or other online services.
In principle, 2FA can be implemented in several ways.
The aim is to combine two of the following methods:
- Authentication through Knowledge
- Authentication through Ownership
- Authentication through biometric properties
A very common variant is the use of the smartphone in combination with a one-time password.
The knowledge (password) factor is combined with that of ownership (smartphone).
In this article I would like to explain how it works in general.
Source
What is a one-time password
A one-time password (OTP) is a password - as the name implies - which can only be used once. This is usually used as a second factor for the registration or execution of further transactions.
In principle, there are two different types:
Password list
Anyone who has done online banking a few years ago knows the list of TANs. In the case of a transfer, a TAN with a certain number must now be specified in order to prove that you are in possession of the second factor (Tanlist).
Password generators
With password generators, the corresponding passwords are generated dynamically. A distinction is made here between:
- Challenge-response controlled procedure
- Event-driven procedure
- Time-controlled procedure
In this contribution, I shall confine myself to the time-controlled procedures. Often the so-called TOTP procedure is used for this purpose, which I would like to discuss in more detail below.
What is TOTP
The Time-based One-Time Password algorithm can be used to create a one-time password, usually for 30 seconds.
The mode of operation can be simplified as follows:
- Sender and receiver agree on a private key
- A hash is formed from this key + time (to synchronize the time the NTP protocol is used, the time is shortened to seconds)
- The one-time password is calculated by the shortened hash after a modulo operation.
Depending on the type of modulo function, a 6 or 8-digit password is generated.
Authy vs. Google Authenticator
Source
The Google Authenticator is probably the best-known mobile application that enables 2FA authentication using TOTP. Another not so common application is Authy.
Google Authenticator can only be installed on one device.
In case of loss of the device, every service of Google Authenticator must be restarted.
When setting up the 2FA method, a specific recovery code is generated for each service, which should also be well backed up. When reinstalling on another device, each service must now be added manually using this code.
This results in a high effort to secure the respective codes (which may have a negative effect on security). Depending on the amount of services used, it is also very time-consuming to recover everything.
Authy, on the other hand, allows you to create a backup, encrypt it and store it in the cloud.
If a device is lost, it can still be accessed by another device (if this has been set up).
So if you use Authenticator for many services you should at least have a look at Authy.
Sources and further links
https://de.wikipedia.org/wiki/Time-based_One-time_Password_Algorithmus
https://authy.com/
https://authy.com/blog/how-the-authy-two-factor-backups-work/
Thank you for reading !
Good post, I have(like you told me) actually took a look at authy and quite liked it.(und ich hab den deutschen post gar nicht gesehen xD)