Awesome Software Engineer

Share this post

What is two factors authentication?

blog.awesomesoftwareengineer.com

Discover more from Awesome Software Engineer

Share practical software engineering skills including backend, architecture, and engineering mindset
Continue reading
Sign in

What is two factors authentication?

Ray Chong
Nov 16, 2022
3
Share this post

What is two factors authentication?

blog.awesomesoftwareengineer.com
Share

In traditional authentication, we use username-password authentication to identify user identity in a system. As technology evolves, this approach is not secure enough. There are different illegal ways to get your credentials including password leaks, password brute-force attacks, phishing, etc. To secure a user account, there is an approach called Two Factors Authentication (2FA); It is the topic that I’ll cover today. Okay, Let’s get started.

What is 2FA?

Basically, authentication can be grouped into 3 types:

  1. Something you know (password)

  2. Something you have (device, card)

  3. Something you are (biometrics)

In a normal authentication system, we will have username-password authentication and it is the first factor. Now, if we choose one more factor to secure the authentication, it will be the second factor. It can be either Device or Biometrics.

In this post, I’ll be focusing on Something you have to discuss authentication based on a device like a smartphone.

The idea for device-based authentication is that you will receive a one-time password for every login. You need to input that one-time password to tell the system “It is you”.

Device-based Authentication

Device-based authentication can be grouped into 2 types including message channel and authenticator. In order to keep the post short, I will only talk about message channels in this post. For the authenticator, I will create another post to talk about it.

Message Channel

In this type of authentication, a message channel can be SMS, Email, Phone call, or other channels. The idea is to send a one-time password to a target user via one of the channels. After the user receives the one-time password, the user needs to input the one-time password into the system.

By implementing this design, we can secure the username-password authentication using the second factor — SMS. Everyone has a smartphone, and it enables people to receive text. So, SMS is a convenient way for OTP authentication. Compared to email, SMS seems more secure because it is easy that a laptop or desktop gets hacked. If your computer gets hacked, probably your email account will be leaked as well.

There are several things that you need to care about when implementing 2FA:

  • Rate limit on the verifyOTP API

    Set a reasonable rate limit for the API to avoid the OTP brute-force attack

  • Set an expiry time for the OTP

    OTP should be short-lived in order to make sure it is related to the current login

  • Invalidate OTP once it gets used

    To avoid the replay attack, OTP should be invalidated once get used

If you have more ideas, please leave your ideas in the comment below.🙌

Your Turn

If a user maliciously uses the resendOTP endpoint, what problem will be caused and how do you solve it?

Thanks for reading Awesome Software Engineer! Subscribe for free to receive new posts and support my work.

Share Awesome Software Engineer

3
Share this post

What is two factors authentication?

blog.awesomesoftwareengineer.com
Share
Previous
Next
Comments
Top
New
Community

No posts

Ready for more?

© 2023 Ray Chong
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great writing