2 factor authentication

[catweazle]

For a couple of work applications,  "2 factor authentication " has just been introduced.   For example,  to log onto the company VPN ( to check pay, say) I have to input a lengthy username (work ID number, followed by abbreviated company name, followed by a region identifier ( as they're multi  national) followed by my name.)

I then input on the next line a 12 character  password.

Then - and this is the bit that intrigues me - I open an app on my phone, which generates a seemingly random 6 digit number, which I input onto the login and finally it connects me to the VPN.

What really interests me is that 6 digit number
  How does  the system know that  the number I've input is valid? It won't accept a number I just made up (I've tried  ) - is there a list deep in the system that says "the codes for 09.50 to 09.52 on the 1 January are:.....".

I know  someone will says "oh, it's just an algorithm " but that means zip to me. Anyone able to explain in layman's terms, please?

[daviemac]

I don't know how it works but quite often if I'm paying by PayPal I have to log in with my username and password then they send a verification code to my phone which I also have to input to confirm it's actually me.

I can only assume the system that generates the code recognises it when I input it.   

[8MillionDollarMan]

This sort of thing puzzles me too as the secure key I use for banking generates a number for access,how this relates to the time I attempt to login I've no idea.

[RandomGuy99]

External Link/Members Only

Basically the server can calculate what code your code generating device or software should generate at a point in time. It compares the value you enter with the one it thinks you should he generating. If they match you're in. If not, then the computer says no.

It's maths innit.

[PumpDump]

I am not 100% sure but this is an educated guess. The app on your phone generates a random 6 digit number every X minutes. The app has a connection to the VPN and informs it each time a new 6 digit number is generated. So when you enter the 6 digit number to log in to your VPN it validates it against the last code it received from the app on your phone. It is likely the six digit number is only valid for a short time, 2 mins or thereabouts. Your idea that the codes are stored on your device with a timeframe for each code to be valid is definitely not the case as that would be a huge security risk should someone hack in to the app and retrieve the list of valid codes.

[8MillionDollarMan]

External Link/Members Only

Basically the server can calculate what code your code generating device or software should generate at a point in time. It compares the value you enter with the one it thinks you should he generating. If they match you're in. If not, then the computer says no.

It's maths innit.

  time based,simple.

[PumpDump]

External Link/Members Only

Basically the server can calculate what code your code generating device or software should generate at a point in time. It compares the value you enter with the one it thinks you should he generating. If they match you're in. If not, then the computer says no.

It's maths innit.

Interesting. So it should work if your mobile running the app has no internet connection. What if the time and date settings on your mobile are wrong, would the wrong code be generated?

[RandomGuy99]

Interesting. So it should work if your mobile running the app has no internet connection. What if the time and date settings on your mobile are wrong, would the wrong code be generated?

Yes, the code would be wrong.

Random numbers on computers aren't really random. They are pseudo-random. You generate them from a known seed value and have an algorithm that calculates them. If you call the same algorithm with the same seed then it should generate the same list of "random" numbers.  The algorithm for the codes must use the current date and time as part of its calculation, so the server and the device can do the same calculation and compare the results. If they match then you're in.

[PumpDump]

catweazle, you got enough info to hack the system now?!!

[FiveKnuckles]

A 'secret key' together with 'time' generates the codes using an agreed algorithm (chain or tree).  "Time based One Time Pass". TOTP

- At the point of setup (say you're using google authenticator), the security app will generate a 'secret key' that you scan to add onto your google authenticator.  This 'secret key' is held on your authentication device and most likely specifies the algorithm (chain or tree) type that is used to generate the keys given the time.   The app should be secure enough that you can not retrieve the secret key, nor duplicate the app to another phone.

- When the website require the 2FA code; the secret key + agreed algorithm and time generates the numbers.   This usually has a 1 minute window before a new code is generated.

[RandomGuy99]

Alternatively, it could just be magic. Ssssssh

[timsussex]

If anyone is interested look up PGP - pretty good privacy. which is based on large prime numbers

You generate 2 keys one of which you send to your 'friend'  using any non secure message system; they then use that key to code a message to send to you
Even if someone gets a hold of that public key and the message it is impossible (or would need all the computers in the world for years)  to decode it

Only someone with the second key (ie you) can read it

[gman28]

Then - and this is the bit that intrigues me - I open an app on my phone, which generates a seemingly random 6 digit number, which I input onto the login and finally it connects me to the VPN.

What really interests me is that 6 digit number
  How does  the system know that  the number I've input is valid? It won't accept a number I just made up (I've tried  ) - is there a list deep in the system that says "the codes for 09.50 to 09.52 on the 1 January are:.....".

I know  someone will says "oh, it's just an algorithm " but that means zip to me. Anyone able to explain in layman's terms, please?

There are many ways to implement two-factor auth but the scenario you refer to most likely uses something called Time-based One Time Password (TOTP), for example, Google's Authenticator: External Link/Members Only

A TOTP is basically it's based on pseudo-random data where the current time is an input. Pseudo means the codes appear random to an eavesdropper but they are not.

So as others mentioned above, your phone app and the server you are authenticating to produce the same code unique for your login valid for a short period of time. The server does not send any challenge directly to your phone app which is why you can authenticate without a connection.

[catweazle]

Well  thanks everyone. I'm not sure I'm  any the wiser, but it certainly  was an interesting  read!

[Chazz]

There are many ways to implement two-factor auth but the scenario you refer to most likely uses something called Time-based One Time Password (TOTP), for example, Google's Authenticator: External Link/Members Only

A TOTP is basically it's based on pseudo-random data where the current time is an input. Pseudo means the codes appear random to an eavesdropper but they are not.

So as others mentioned above, your phone app and the server you are authenticating to produce the same code unique for your login valid for a short period of time. The server does not send any challenge directly to your phone app which is why you can authenticate without a connection.

Sorry, please can you explain that again. I got as far as TOTP, and now all I can think about is Pan's People dancing provocatively in satin hotpants to Shawaddywaddy on Top of The Pops. 

[petermisc]

I recall an earlier version of the system where you got a small card reader device, that looked a bit like a small pocket calculator.  You put your card in, pressed a button and it would display a code that you entered on your computer.  The reader had no internet connection, so the code must have been purely based on some info on your card, and the time.  It didn't matter what card reader you used, so there couldn't have been anything user-specific stored on the reader.

And an even earlier version, where I was sent a printed personalised code table.  The bank's computer would generate a random code, that I would then have to convert using this code table.  So if part of the bank's code was say F3, I would have to lookup what character was in row F column 3 on my table.

A fundamental part of the security involves information being sent to the user by one transmission medium, being converted in a predictable way at the user end, and returned by a different transmission method.  In these early cases, the reader and code tables were sent by post.

[Bigwilts]

Sorry, please can you explain that again. I got as far as TOTP, and now all I can think about is Pan's People dancing provocatively in satin hotpants to Shawaddywaddy on Top of The Pops. 

That’s exactly how it works.

When time based the app takes the current time
Not the precise time as the server also needs to make the calculation, so will use something of an approximation

Eg both the server and the app look up the current date/time, the server gets 21 Jan 2023 10:51:45 and when you click on the app it gets 21 Jan 2023 10:52:10.
The algorithm may choose to truncate away the seconds and minutes giving a common result of 21 jan 2023 10:5

The app runs an algorithm formula which comes up with a year between 1968 and 1976, a week number (episode) and a counter between 1 and 30
It then scans its encrypted TOTP database for the nearest Pans People performance (in case of multiple tracks per episode) and comes up with an artist name - Shawaddywaddy
Each letter in the artist name is attributed a number and a second algorithm formula gives a short code number

The user enters that short code number

The server reverses the second algorithm to reveal Shawaddywaddy, cross references its TOTP database for all possible Pans People Shawaddywaddy performance episode time slots.
For each of those results it reverses the first algorithm to see if any of the time results match the timestamp that the process began
If one is right then you get in, but if the code sent back was for Wizzard then you get two more  chances  before being locked out



Some other systems are based on Hot Gossip and the Kenny Everett show

[JontyR]

And an even earlier version, where I was sent a printed personalised code table.  The bank's computer would generate a random code, that I would then have to convert using this code table.  So if part of the bank's code was say F3, I would have to lookup what character was in row F column 3 on my table.

I think you are getting online banking confused with Jet Set Willy.

[RandomGuy99]

I think you are getting online banking confused with Jet Set Willy.

I still have an online bank account that uses that card.

[wordy]

That’s exactly how it works.

When time based the app takes the current time
Not the precise time as the server also needs to make the calculation, so will use something of an approximation

Eg both the server and the app look up the current date/time, the server gets 21 Jan 2023 10:51:45 and when you click on the app it gets 21 Jan 2023 10:52:10.
The algorithm may choose to truncate away the seconds and minutes giving a common result of 21 jan 2023 10:5

The app runs an algorithm formula which comes up with a year between 1968 and 1976, a week number (episode) and a counter between 1 and 30
It then scans its encrypted TOTP database for the nearest Pans People performance (in case of multiple tracks per episode) and comes up with an artist name - Shawaddywaddy
Each letter in the artist name is attributed a number and a second algorithm formula gives a short code number

The user enters that short code number

The server reverses the second algorithm to reveal Shawaddywaddy, cross references its TOTP database for all possible Pans People Shawaddywaddy performance episode time slots.
For each of those results it reverses the first algorithm to see if any of the time results match the timestamp that the process began
If one is right then you get in, but if the code sent back was for Wizzard then you get two more  chances  before being locked out



Some other systems are based on Hot Gossip and the Kenny Everett show