In traditional authentication, we use username-password authentication to identify user identity in a system. As technology evolves, this approach is not secure enough. There are different illegal ways to get your credentials including password leaks, password brute-force attacks, phishing, etc. To secure a user account, there is an approach called Two Factors Authentication (2FA); It is the topic that I’ll cover today. Okay, Let’s get started.

What is 2FA?

Basically, authentication can be grouped into 3 types:

1. Something you know (password)

2. Something you have (device, card)

3. Something you are (biometrics)

In a normal authentication system, we will have username-password authentication and it is the first factor. Now, if we choose one more factor to secure the authentication, it will be the second factor. It can be either Device or Biometrics.

In this post, I’ll be focusing on Something you have to discuss authentication based on a device like a smartphone.

The idea for device-based authentication is that you will receive a one-time password for every login. You need to input that one-time password to tell the system “It is you”.

Device-based Authentication

Device-based authentication can be grouped into 2 types including message channel and authenticator. In order to keep the post short, I will only talk about message channels in this post. For the authenticator, I will create another post to talk about it.

Message Channel

In this type of authentication, a message channel can be SMS, Email, Phone call, or other channels. The idea is to send a one-time password to a target user via one of the channels. After the user receives the one-time password, the user needs to input the one-time password into the system.

By implementing this design, we can secure the username-password authentication using the second factor — SMS. Everyone has a smartphone, and it enables people to receive text. So, SMS is a convenient way for OTP authentication. Compared to email, SMS seems more secure because it is easy that a laptop or desktop gets hacked. If your computer gets hacked, probably your email account will be leaked as well.

There are several things that you need to care about when implementing 2FA:

• Rate limit on the verifyOTP API

  Set a reasonable rate limit for the API to avoid the OTP brute-force attack

• Set an expiry time for the OTP

  OTP should be short-lived in order to make sure it is related to the current login

• Invalidate OTP once it gets used

  To avoid the replay attack, OTP should be invalidated once get used

If you have more ideas, please leave your ideas in the comment below.🙌

Your Turn

If a user maliciously uses the resendOTP endpoint, what problem will be caused and how do you solve it?

Share Awesome Software Engineer