Two Factors used in 2FA include :
- Factor 1 – Something you know (PIN, password, secret questions, etc);
- Factor 2 – Something you have ( token, key, smartcard, mobile phone) or Something you are (biometrics such as fingerprint, retina, voiceprint etc.)
Static versus Dynamic (One Time Only)
MFA is typically based on single passwords. Traditional static passwords, while a potential solution for MFA, simply aren’t enough to protect against some of today’s threats. Keystroke logging tools, phishing attacks, eavesdropping, and even guessing can be used to easily crack static passwords.
One Time Passwords (aka tokens) offer greater protection, because the password (token) they generate is only valid for a single session or transaction.
Time-Based One-Time Password (TOTP) are regulated by the RFC6238;. This algorithm is actually not only used in Google’s Authenticator, but also in the Microsoft Verificator.
Here is the basic flow:
- User Logs In to the web app using her ADFS credentials –>
- On successful login, the user is prompted for a second factor (Please enter a 6 digit code). This code is generated by the .NET code (using, first, a randomly generated secret key and SHA1) and sent to Google QR generator – which presents a QR code to the user. As long as the user has a QR reader app, she can decode this QR code – and type it into the presented textbox as her second factor –>
- Once the user enters the 6 digit code, she is no longer prompted with a QR code. This is truly a one-time code – the QR code is not presented to the user again, unless she fails to enter it within the allotted 30 seconds.
- That’s it. Pretty straightforward and very secure.
creating and Persisting the OTP
The RFC states; “The keys SHOULD be randomly generated or derived using key derivation algorithms. To generate the 16-character secret key, we can use the random number generator support in either .NET or java.
Random random = new Random((int)DateTime.Now.Ticks & 0x0000FFFF); return new string((new char[secretKeyLength]).Select(c => c = allowedCharacters[random.Next(0, allowedCharacters.Length)]).ToArray());
With multiple ADFS servers in a farm, and the possibility these servers do not share state, we cannot use in-memory mechanisms to check if a generated code has been used previously. Using a Database to store the key will ensure that at all servers in the ADFS farm can access and check used keys.
There are several ways one can do MFA. However, most MFA schemes are based on single (static) passwords. These are not ideal – as phishing, keystroke logging etc. can figure these out easily. It is much more secure to have a throw-away password – an OTP in place of the static password. Using Google’s QR generator, one can send a QR code as a disguised second factor. Whether they use a virtual device (an app) or some hardware scanner to read this second factor is up to them.
Once the user types in this 6 digit QR code, they are effectively second-authenticated. Now , this QR code is meaningless – as long as the server has a way to store it and check for previously used keys.