Two-Factor Authentication

Learning Objectives Explain the difference between the three main authentication factors (knowledge, possession, inherence). Analyze the security trade-offs between SMS-based 2FA and authenticator app 2FA. Describe the high-level algorithmic flow of a Time-based One-Time Password (TOTP). Identify potential vulnerabilities in 2FA systems, including phishing and SIM swapping. Evaluate the critical role of backup codes and recovery options in a 2FA setup. Design a simple flowchart for a login process that incorporates a 2FA check. Ever wonder why your favorite game asks for a code from your phone even after you type your password? 🤔 Let's dive into the advanced tech that makes this super-strong security possible! In this lesson, we'll move beyond just knowing *what*...

TermDefinitionExample Authentication FactorA category of credential used to verify a user's identity. Security experts group them into three types: something you know, something you have, and something you are.A password is a 'knowledge' factor. Your phone with an authenticator app is a 'possession' factor. Your fingerprint is an 'inherence' factor. TOTP (Time-based One-Time Password)An algorithm that uses a shared secret key and the current time to generate a temporary, single-use passcode.The 6-digit code you see in Google Authenticator or Authy that refreshes every 30 seconds. Shared Secret KeyA unique piece of data known only to the user's device and the server. It's the 'seed' used by the TOTP algorithm to generate matching codes...

TOTP Generation Logic GeneratedCode = Truncate( HMAC(SharedSecret, CurrentTimeStep) ) This pattern shows how a TOTP is created. A cryptographic function (HMAC) mixes the Shared Secret with the current time (rounded to a 30-second step). The long result is then shortened (truncated) to a 6-digit code that's easy for a human to type. 2FA Verification Flow IF (Password_Is_Correct) THEN Request_And_Check_Second_Factor() ELSE Deny_Access() This is the fundamental logic for a secure login process. The system must always verify the first factor (password) is correct *before* asking for the second. This prevents attackers from discovering which accounts have 2FA enabled. Factor Independence Principle Compromise_of_Factor1 should NOT lead to Compromise_of_Factor2 A core...