Monday, January 8, 2018

Using mobile Authenticator app for time-based two factor authentication TOTP

1. What authenticator mobile app does
Many major identity service (Google, Microsoft, SAP etc) providers have published their Authenticator mobile application for time-based two factor authentication. Essentially, the Authenticator app uses a shared secret between identity service provider and mobile Authenticator app, and current time to generate a passcode, and if the key matches with each other within 30 seconds period, then the identity will accept the passcode generated by Authenticator app and pass the authentication.

A sample authenticator configuration for google accout looks like below
otpauth://totp/Google%3Ajonathanli2000%40gmail.com?secret=rrrhpj3zrgzgwq4d53qrmyb6fsttuwee&issuer=Google

In addition, all authenticator apps use the same logic, so as long as they use the same configuration, then no matter the passcode is generated by with company's authenticator app, it can also pass the check by other company's identity service provider.

2. Where to implement TOTP two factor authentication
If the web application handles the user account by itself, like maintaining the user account in a user table, then the application must implement the TOTP logic, which keeps the secret key for each user account and then verify the client side Authenticator generated passcode based on the secret key and current time.
However, preferably, the user account management is handled by third party identity service provider. In that case, enabling and handling the TOTP authentication should only need to be configured and handled by the identity service provider, which is transparent to the application. For example, if the google social login service is used, once the two factor authentication using mobile device is enabled, then the user will be automatically prompted to input the Authenticator generated passcode during user authentication, there is nothing in the web app that needs to be changed for this purpose.


3. Note
The mobile authenticator app does not need to communicate with identity service provider when it generates the passcode, so it does not to be online when doing so.
In addition, user changes the account password does affect the mobile authenticator app, as long as the shared secret is not changed.

No comments:

Post a Comment