You must have come across buzzwords such as “MFA”, “2FA” at some point but what do they really mean? Why are they so popular these days? And why is it becoming such a focal point in the security layer?

What is 2FA/MFA?

2FA/MFA stands for 2-Factor/ Multi Factor Authentication. Conventional authentication system require only your username and password. We call such type of Auth Systems as “SFA” (Single Factor Authentication).In MFA, multiple factors combine together to prove that it’s actually you who’s trying to access the system. Currently there are three types:

• Something that you know (your password, maybe a couple of security questions.)
• Something that you own/ Something that you have (your mobile phone).
• Something that you are (Thumb Print/ Face recognition etc.)

2FA is just a subset of MFA. It involves 2 factors while authenticating a user:

• Username/password.
• One time password sent to your device.

Standards for generating an OTP

One Time Password (OTP) is generated using a shared secret key and another factor such as counter or time. Two main standards for generating an OTP are HOTP and TOTP. Event-based OTP (also called HOTP) is the original One-Time Password algorithm and relies on two pieces of information: A shared secret and a counter. The first step involves generating an HMAC hash from the shared secret and counter. In the next step we truncate the resultant HMAC hash to our desired length (6 digits preferably) to obtain an OTP. The counter is then incremented on the server side to obtain a new OTP.

HOTP is great but incrementing the counter can become a headache. Also, HOTP pass-codes can be valid for a pretty long time, hence putting our system at risk. To solve these problems, we are going to discuss the second standard known as TOTP.

#python #2fa #django #pyotp #mfa