Scribd
Upload
59 views

Two-Factor Authentication: Sanskriti Mittal BTBTC19023 B.Tech CS III Year 1913091

Two-factor authentication provides an additional layer of security beyond just a username and password. It requires a user to provide two different authentication factors: 1) something they know like a password and 2) something they have like a phone or hardware token. The most common second factors are SMS texts, authentication apps, security keys, or biometrics. It works by generating a one-time password using the TOTP algorithm based on a shared secret key and current time. Implementing two-factor authentication can significantly reduce the risk of account breaches compared to passwords alone. Many major websites and services now support two-factor authentication.

Uploaded by

Sanskriti Mittal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
59 views

Two-Factor Authentication: Sanskriti Mittal BTBTC19023 B.Tech CS III Year 1913091

Two-factor authentication provides an additional layer of security beyond just a username and password. It requires a user to provide two different authentication factors: 1) something they know like a password and 2) something they have like a phone or hardware token. The most common second factors are SMS texts, authentication apps, security keys, or biometrics. It works by generating a one-time password using the TOTP algorithm based on a shared secret key and current time. Implementing two-factor authentication can significantly reduce the risk of account breaches compared to passwords alone. Many major websites and services now support two-factor authentication.

Uploaded by

Sanskriti Mittal
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 14

Two-Factor Authentication

Sanskriti Mittal
BTBTC19023
B.Tech CS III year
1913091
What is Two-Factor Authentication?
Two-Factor Authentication is a security process which provides a second layer of
protection to user’s account. The user is required to provide a second
authentication factor aside from the username and password to get access. 2FA
combines two factors for authentication, the first factor being the username and
the password, and the second factor can be any of the two somethings below:

something the user has: a something the user is: biometric


smartphone or a credit pattern of a fingerprint or iris scan
card or a hard token. or voice print
Why do we need Two-Factor Authentication?

Single layer of username and password is easily penetrable.

Users tend to keep easy passwords like “111111” or “12345” etc.


that can be easily cracked.

Two-third of the users use the same password everywhere.  

Data breaches, phishing, spyware are some ways by which even


strong passwords can be cracked by hackers.
How does Two-Factor Authentication work?

The user
Enter the The second
Login via enters the
second authentication Login
username and second
authentication factor is successful !
password password for
factor received
authentication
Methods to implement Two Factor Authentication

Push notification

Hardware based
Biometric based
Token based

• SMS text Software based A token is


generated
2FA token
message using
It provides is
authenticator • Fingerprint
based a generated
apps which is scan
very simple with the
then used by
• E-mail Approve/ help of a
the user for • Iris scan
based Deny hardware
authentication. approach device —
Like, Google • Voice print directly to key fob or
• Call Authenticator, users. dongle.
based Authy, etc.
Algorithm behind 2FA : TOTP Algorithm
•   2FA uses a Time-based one-time password algorithm to generate a 4-10 digit
The
one time password for authentication. The TOTP algorithm is an extension of the
HMAC-based one-time password algorithm. The TOTP uses time as the moving
factor whereas the HOTP uses an event-based counter.
The algorithm contains three important formulae to generate the OTP –

TOTP( K, d ) = HOTP( K, T, d )
Where,
HOTP( K, T, d ) = Truncate( HMAC(K, T) & 0x7FFFFFFF )%

T = floor
  The terms used in the above formulae are :

K : The secret key known to both client token and validation server
T : The time step sequence
HMAC() : A SHA-1 Hash based Message Authentication Code function
Truncate() : A function that selects 4 bytes from the result
& : Bitwise AND function
% : Modulus operator
d : No. of digits in OTP
: Current time
The Unix Epoch (the Unix time is the no. of seconds since midnight on Jan 1,1970)
x : Time Stamp
Floor() : Returns the largest integer that is smaller than or equal to the number
 Forexample ,
Lets’s consider the Current Time to be 3:20:00 PM on 13 August 2021 and the time
stamp(X) to be 30 sec.
So the value of = 1628868000 (in Unix time)
= 0 (Unix Epoch)

Hence,
T = ( 1628868000 - 0 ) / 30
T = 54295600

let’s suppose the secret key be,


K = pofa rscd uptm dh6j aogl nda2 ryk7 7jva

Now these values of K and T are given to the HMAC-SHA 1 algorithm which as a result
gives a 160-bit (20 bytes) array of a HMAC hash.

HMAC hash AF 16 86 8F E5 DB 00 C1 58 75 F6 A7 F8 99 F5 28 AB 80 5E 9A
The last 4 bits of this hash value determines the offset for the truncation.
So here,
the last 4 bits is denoted by 0xA which represents integer 10.
Therefore,
the offset is 10 and starting from 10, 4 bytes are selected from the HMAC hash.
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19

HMAC hash AF 16 86 8F E5 DB 00 C1 58 75 F6 A7 F8 99 F5 28 AB 80 5E 9A

Offset

Now applying the bitwise AND operator on the 4 bytes array hash value,
F6 A7 F8 99

& & & &


0x7F 0xFF 0xFF 0xFF

76 A7 F8 99
So, the new hexadecimal value obtained is 0x76A7F899
On converting this hexadecimal value to decimal notation we get 1990719641
Now to calculate the token we use the modulo operator ,
TOTP(K,d) = 1990719641 % 10^d
= 1990719641 % 10^6 [d = 6 ]
= 719641
So, the OTP is 719641 which is valid for 30 seconds only.
Who uses 2FA?

Social Media

E-Commerce platforms Banking sites

Gmail

Education
platforms
How effective is 2FA?

100 %
Automated Bots

Two-Factor 96%
Authentication
successfully blocks Bulk Phishing Attacks

90%
Targeted Attacks
References

• https://auth0.com/learn/two-factor-authentication/
• https://authy.com/what-is-2fa/
• https://www.ionos.com/digitalguide/server/security/totp/
• https://www.youtube.com/watch?v=VOYxF12K1vE&list=WL&index=88&t=
533s
THANKYOU

You might also like