The identity authentication

The identity authentication mentioned here refers to the process of confirming the identity of the operator in the computer and its network system in a narrow sense, so as to determine whether the user has the permission to access or operate a certain resource.

The reason why identity authentication is carried out on the Internet is to prevent attackers from impersonating your identity in the system to operate against you. Just think, if you wake up one morning and find that your Alipay account has been stolen and all your money in Yu ‘e Bao is gone, you will have lost a lot of money.

However, different from the real world, all information in the network world is represented by a set of specific data, and the computer can only identify the user’s digital identity, so the authorization to the user is essentially the authorization for the user’s digital identity.

Therefore, how to ensure that the operator’s physical identity and digital identity corresponding, has become a crucial issue, identity authentication has therefore played a pivotal role in the Internet world. This article will introduce a method commonly used by many websites — two-factor authentication (also known as two-factor authentication, abbreviated as 2FA).

Two-factor authentication 2FA

Although the expression of identity in the network world and the real world is not the same, the means and experience of identity authentication can be used for reference. In the real world, there are three basic ways to authenticate users:

These three criteria are known as the three ‘factors’. The more factors, the stronger the proof, the more reliable the identity.

Therefore, in the network world, in order to achieve higher identity authentication security, some scenarios will select two of the above three types of authentication, namely two-factor authentication.

When paying treasure still did not popularize in China big ground, go to a bank normally need to prepare to call “U shield” thing, when using bank on the net, the user needs to insert U shield first, input password ability to log in bank on the net again next. In this operation, the combination of U shield (you have) and password (you know) forms a two-factor authentication.

However, later, with the popularity of mobile Internet, mobile phones gradually become the most inseparable objects around people, so the traditional combination of “U shield + password” was replaced by the combination of “mobile phone + password”.

Nowadays, SMS verification code has become one of the most widely used two-step verification methods in China. Although it is easy to operate and does not require the installation of additional APP, the distribution of verification code depends on the network and operator signals, and there is a risk of eavesdropping. Imagine if the captcha could be obtained without carrier or network dependence, even if the phone was in airplane mode. Wouldn’t that improve security?

This is also called TOTP, which stands for ** “time-based one-time Password” **. This is currently recognized as a reliable solution and has been incorporated into international standards.

TOTP

process

The TOTP process is as follows:

  1. The server randomly generates a key and stores the key in the database.
  2. The server delivers the key, usually by displaying a QR code on the page that contains the key.
  3. The client scans the QR code and saves the key in the client.
  4. Every 30 seconds, the client uses the key and timestamp to generate a 6-digit one-time password through the TOTP algorithm

In fact, the TOTP authentication process is very simple, which is only introduced here. If you want to know more about the specific implementation process of the TOTP Algorithm, you can refer to 👉 TOTP: Time-based One-Time Password Algorithm

Besides obtaining the key from the server for the first time, the one-time verification code is generated in this way, which has no other requirements on the network. In this way, the password can be used even when offline. Moreover, the security of the dynamically generated password is greatly improved because it only lasts for 30 seconds.

But in the actual process, we must consider some additional circumstances, for example, if someone wants to brute force crack captchas, we can limit the number of verification errors; Or if the time on the mobile phone is not synchronized with the time on the server, we need to adopt an algorithm that is compatible with the server time for 30s to effectively avoid verification failures caused by slight time differences.

Use of the status quo

At present, TOTP authentication apps are mainly divided into two categories: “exclusive class” and “open class”. The so-called exclusive class refers to the two-step authentication that only supports your own account login, such as QQ Security Center, Steam authentication token, etc. The open class is a pure two-step authentication App. One App acts as a validator for multiple websites. For example, Google Authenticator is an open source tool that generates one-time passwords based on the TOTP principle.

On Google Play Store, there are many third-party one-off verification code tools based on TOTP principle. However, due to the usage habits of Chinese users, SMS verification code is still used in most cases, except for some special occasions, such as retrieving passwords, when TOTP authentication is used. This is also the difference between domestic and foreign use habits.

conclusion

Overall, two-step verification apps based on TOTP mechanism have much higher security and comparable convenience than SMS verification code, and are a tool to ensure the security of users’ property. However, there will be an extra step in logging in, which is time-consuming and troublesome, and may cause users discomfort. However, in the case of important data, use two-step validation as much as possible, otherwise it will not be good to lose the code base like AntDesign.

The above is all the content of this article, the New Year has come, presumably everyone has resumed work, here I wish you a happy New Year, the year of the Ox 🐂. If you find my article helpful, and hope to continue to support “01 binary” in the New Year, your support is the biggest motivation for me to update the original!