Hi! I was doing some webdev yesterday and needed to clear my cache and cookies for the first time in a long time, which prompted me needing to log into all the save sites from previous session. Most of them require 2FA and it got me thinking how does it actually work?
For security I assume there isn’t a token saved next to the user’s ID or password. Or is there something in the QR code you scan originally to add it to the app?
I kind of gather SMS 2FA is a code that is saved with an expiry, same is when emails send links to your account and an expiry for the link. But codes that expire every 30 seconds it seems like thats a lot of database rewrites.
In: Technology
>But codes that expire every 30 seconds it seems like thats a lot of database rewrites.
You’ve got the correct idea up until here.
Memory exists for a reason – 2FA codes don’t necessarily get stored and rewritten in the database – they can be kept in server-side memory (even more fitting as they are temporary)
Transactions with a database every 30s would be a nightmare for data concurrency
It’s a code on a timer that is both unique to that device and combined with something unique to your account. If you give that to the server it’s easy for it to undo the math for the device registered to you and get the identifier that belongs to you.
Depends on the 2FA solution we are discussing.
SMS 2FA is easy – provider generates a code and sends it to you SMS. You then have X seconds to enter the code on the website/app or the code is invalid. If the code matches, you are granted access
Token based 2FA involves some tech beyond an ELI5, but the gist is that you are given a token by the website/app. This token tells your 2FA client how to generate one time 2FA codes. The app uses the token and the current time to generate a specific code which is put into the website/app. Since the website/app knows the token it gave you and the current time, it can validate that the code is correct. There aren’t any database writes because the code generation and validation is done one demand.
The explanations already provided are plenty sufficient so I won’t beat a dead horse but I will add perspective. Working with a private company contracted with the DoD means I frequently need to log on to the company’s website but due to the nature of working in a secured environment where phones aren’t allowed, I’m not able to receive SMS 2FA codes so we get issued a hardware token. This has a pre-determined pseudo-algorithm which is linked with my account so based on the time of day, the code generated on the token is what the system is expecting when I initiate a logon. Since this doesn’t require a remote connection of any type, it’s allowed in the secured area (no transmissions occurring from the device).
Latest Answers