How does the 6 digits number in multifactor authentication works?
What is that 6 digits number in the authenticator app? Why those numbers change every 30 seconds? How are they generated? How does the server know that this is the correct number? How does it work offline?
Also, why do we need to scan a QR code when setting it up? What does the QR code contains? How secure is the whole system? What are the limitations? What to consider if implementing a server to support this authentication method?
We will start with a some simple intuitive explanation and slowly go into the technical details and algorithms. Hopefully you can answer all the above questions after reading this. This is not a high level explanation of why it's good to have MFA, or how to deploy it, there are plenty of resources explaining that already. This article focus on the details of the technology under the hood.
If you are ready, let's get started. First, we need to understand what is a factor means in multifactor authentication.
What is a "factor"?
A factor is like a key for a different kind of locks. Imagine a door has only 1 lock, then everyone who has the key to that lock can open the door. Multifactor is like having multiple locks on the doors that require different keys. Even if you lost 1 key accidentally, the door is still locked.
In digital systems, usually the lock is the username and password. If this is the only factor, if someone can steal or guess your password, then your account is compromised. If there is an extra factor, usually in a different format, like authenticator app or a separate physical security key, then your account will be secure even if your password is leaked.
In a study conducted by Microsoft in 2023, MFA reduces the risk of being compromised by 99.22%! Also, dedicated authenticator app like Microsoft Authenticator outperform SMS-based authentication.
Time-based one-time password (TOTP)
This article will focus on explaining these authenticator apps, the one you see 6 digits number changing every 30 seconds. It is called time-based one-time password, TOTP in short. We will know how does the TOTP algorithm generate that 6 digits number, why does it change every 30 seconds, how does the server know the same 6 digits number even if the authenticator app is offline.
The formal document that defines how TOTP should work is defined in RFC 6238. TOTP is a way to generates a user-friendly value based on the current time, called the one time password (OTP), to authenticate the user. The one time password is used once only and cannot be reused. But before we go deep into the terminologies and how all these work, let's look at a simpler, imaginative scenario to understand the idea behind TOTP. Let's imagine we need to secure a phone call.
Explain like I am five
Imagine Alice and Bob phone call each other to share updates and secrets, but they are often scared that the phone is not picked up by one of them but Mallory, so they both come up with a secret phrase, "chipmunk" and "chinchilla". Every time before the phone call starts, Alice and Bob need to tell their secret phrase. Only if both sides are correct, they start talking. It works well until one time Bob realize Mallory is listening from behind and hear the secret phrase "chinchilla", what can they do?
Turns out, there is a special species of magic parrot. The magic parrots are always twin. At any given time, you can ask the magic parrot to say a random word. The two magic parrots will say the same word even if they are physical separated far away.
Now, as long as Alice and Bob keep their magic parrot secure to them, they are safe. Even if Mallory knows the secret phrase "chipmunk" or "chinchilla", she cannot impersonate Alice and Bob because she doesn't have that specific magic parrot. She cannot reuse "goose" either because this word is randomly generated by the magic parrot and used once only.
If you understand why the magic parrot makes it more secure, then you know why TOTP makes authentication systems more secure. The magic parrot is the second factor. In TOTP, "chipmunk" or "chinchilla", is your username and password. And "goose" is the TOTP, the generated one-time password. The magic parrot is the TOTP algorithm. It can generate a random value at any given time.
In the real world, there is no magic parrot twins that work like this, but we can create something digitally that works in the same way.
TOTP in detail
This is the typical flow of an authentication with TOTP.
- The user first login with username and password, or any other authentication methods like single signed-on (SSO)
- The server verifies the identity and confirm that the user has enabled multifactor authentication, so the server requests the user to provide the TOTP
- The user get the TOTP from where it is stored, e.g. authenticator app or password managers, and submits it
- The server also generates the TOTP from its end and compare the two is the same
We are going to focus on step 3 and 4, particularly how the user and the server are able to generate the TOTP without communicating at that point.
To understand how TOTP is generated and why it is secure, we need to know three basic ingredients. A hash function, the Unix timestamp and a shared secret between the server and the user.