Two-factor authentication is a two-step user verification process, or you can say it is a security mechanism that requires two factors/user credentials to pass authentication check. Two-factor authentication provides an extra layer of security by verifying something the user knows (e.g Password), something the user has (e.g Smartphone, Hardware Token) or something the user is (Biometric, Fingerprint) which prevents a web application from attackers and security breaches.
In contrast, Single-Factor authentication typically takes User Id and Password as authentication factors which are not secure enough for applications and can lead to security breaches. One problem with this approach is, the user has to set and remember a strong password he had set while registration. The user account can be compromised by attackers if they steal user password through common attacks such as Phishing campaigns, Brute force cracking etc. That’s the reason many online services are constantly introducing Two-Factor authentication for securing user data from hackers.
What are Authentication factors?
- Knowledge factor: something the user knows, such as Password, API secret etc.
- Possession factor: something the user has, such as Smartphone, Hardware token, Smartcard etc.
- Inherence factor: something the user is, such as fingerprint, biometric, voice etc.
Two-Factor authentication using smartphone application
Mobile devices can be used as a second factor for user authentication, nowadays. Instead of using the text message, email or voice call as a channel for sending authentication token or OTP, many Android and IOS applications such as Google Authenticator provides facility to generate this token in the application itself. This application generated token or OTP then be used to validate the user identity.
The process of two-factor authentication using Google Authenticator is quite straightforward.
- Initially, the user has to configure his online service account with Google Authenticator by scanning the QR code provided by the service provider or by manually entering the private key into Google Authenticator app.
- While login in, the user is asked to enter basic authentication details i.e Username and Password during the login process.
- Once the user is verified using password-based authentication, he will be prompted to enter the six-digit token generated by an authenticator application (e.g Google Authenticator) on the smartphone. This token is unique for each login and refreshed after every 30 seconds. This token is called time-based token.
- The six-digit token entered by the user will then be verified on the server. If the token is valid, the user will be considered as authenticated by confirming the ownership of a correct device.
In my next post about 2FA, we will see how to implement 2FA using Google Authenticator in Asp.net.