The so-called authentication (authentication) is to confirm the identity of the user, is an essential step in the website login.
Passwords are the most common authentication method, but they are insecure and easy to leak and impersonate.
More and more places are requiring two-factor authentication (2FA). This paper introduces its concept and implementation method.
At the end of the article, there is news of Udacity’s “Singles Day discount”, which offers courses up to 1,111 yuan off.
First, the concept of two-factor authentication
In general, there are three different types of evidence that can prove a person’s identity.
- Secret information: Information known only to the user and not to others, such as a password.
- Personal belongings: personal belongings of the user, such as ID card and keys.
- Physical characteristics: The user’s genetic characteristics, such as fingerprints, appearance, iris, etc.
This evidence is called three ‘factors’. The more factors, the stronger the proof, the more reliable the identity.
Two-factor certification means that both factors are required for certification.
Bank cards are the most common two-factor authentication. Users must provide both a bank card and a pin in order to withdraw cash.
Two, two-factor authentication scheme
A common two-factor combination is a password plus some personal item, such as U Dun for online banking. Users plug in U shield and enter their password to log in to online banking.
However, it is impossible for users to carry u-shield with them all the time, and mobile phones are the best alternative. Password + mobile phone becomes the best two-factor authentication scheme.
Many Websites in China require users to provide a verification code for sending a short message when entering a password to prove that they actually own the phone.
However, short messages are insecure, easy to intercept and forge, and SIM cards can be cloned. There have been cases of forging I.D.S, applying for identical cell phone numbers, and transferring the money.
Therefore, secure two-factor authentication is not password + SMS, but TOTP, which is described below.
The concept of TOTP
TOTP stands for time-based one-time Password. It is recognized as a reliable solution and has been written into the international standard RFC6238.
The steps are as follows.
In the first step, after the user enables two-factor authentication, the server generates a key.
Step 2: The server prompts the user to scan the QR code (or use other means) and save the key to the user’s phone. In other words, the server and the user’s phone now have the same key.
Note that the key must be attached to the phone. Once the user changes the phone, a new key must be generated.
Third, when the user logs in, the mobile client uses the key and the current timestamp to generate a hash with a validity period of 30 seconds by default. The user submits this hash to the server during the expiration date.
Fourth, the server also uses the key and the current timestamp to generate a hash and compare it to the hash submitted by the user. As long as the two are inconsistent, login is denied.
5. TOTP algorithm
If you look closely at the steps above, you may have a question: how do mobile clients and servers ensure that they both get the same hash for 30 seconds?
The answer is the following formula.
TC = floor((unixtime(now) − Unixtime (T0))/TS)Copy the code
In the above formula, TC represents a time counter, unixtime(now) is the current Unix timestamp, and unixtime(T0) is the timestamp of the agreed start time point, which defaults to 0, i.e., January 1, 1970. TS is the length of the hash validity period, which is 30 seconds by default. Therefore, the formula above becomes the form below.
TC = floor(unixtime(now) / 30) Copy the code
So, TC is the same for 30 seconds or less. The premise is that the server and the phone must synchronize their time.
And then, you can figure out the hash.
TOTP = HASH(SecretKey, TC) Copy the code
In the above code, HASH is the convention HASH function, sha-1 by default.
TOTP has hardware and software generators, both using the above algorithm.
(Note: TOTP hardware Generator)
(Note: Google Authenticator is a mobile App that generates TOTP.)
Realization of TOTP
TOTP is easy to write and implemented in various languages. Let me implement 2FA in JavaScript to demonstrate the actual code.
First, install the module.
$ npm install --save 2fa Copy the code
Then, a 32-bit character key is generated.
var tfa = require('2fa'); tfa.generateKey(32, function(err, key) { console.log(key); }); // b5jjo0cz87d66mhwa9azplhxiao18zlx Copy the code
Now you’re ready to generate a hash.
var tc = Math.floor(Date.now() / 1000 / 30); var totp = tfa.generateCode(key, tc); console.log(totp); / / 683464Copy the code
Six, summarized
The advantage of two-factor authentication is that it is much more secure than password-only login. Even if the password is compromised, as long as the phone is still there, the account is safe. All kinds of password cracking methods are invalid for two-factor authentication.
The downside is that it takes a long, cumbersome step to log in, and users get impatient. Moreover, it does not mean that the account is completely safe. Intruders can still hijack the entire session by stealing cookies or tokens.
The biggest problem with two-factor authentication is account recovery.
Once you forget your password or lose your phone, you have to bypass two-factor authentication to recover your login, creating a security hole. Unless you have two sets of two-factor authentication, one for login and one for account recovery.
7. Reference links
- Multi-factor authentication, by Wikipedia
- Time-based One-time Password Algorithm, by Wikipedia
- Enabling Two-Factor Authentication For Your Web Application, by Bozhidar Bozhanov
- simontabor/2fa, by Simon Tabor
(End of text)
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
After two or three years in the business, programmers often hit a career bottleneck. 80% of them spend their time working late at night, fixing bugs, and only a few choose to spend their spare time refining their skills, increasing their potential, and breaking through the salary ceiling.
Udacity is the cutting-edge technology learning platform from Silicon Valley to help you master cutting-edge technology.
Its courses and programs come from Silicon Valley giants such as Google and Facebook, and it offers services such as human review and one-on-one online q&A sessions, refusing to waste time going astray.
This year’s Double 11, instead of hoarding cheap goods that will last a year, why not invest in your future and improve yourself in Youda City? From November 1st to November 11th, the maximum reduction of the course is ¥1111, allowing you to enjoy the learning resources of Silicon Valley easily!
Concessionary seats are limited on a first come, first served basis. Click here to learn more.
(after)