2FA or two-factor authentication is a mechanism for authentication. It’s when you use a second method (besides the password) to confirm that a user is the owner of said account.
This greatly improves security. It is much more difficult for potential attackers to gain access to both your password and phone/email/another authentication method at the same time. Whereas if one’s password is the only security guarantee, the account remains vulnerable: Passwords are easily leaked, and often the leak is not even the user’s fault.
Types of 2FA
Most applications and services offer the user the following options for two-factor authentication:
- Entering the code that the user receives via text message or email after he or she has entered his or her login and password. This is the most common and easiest way, but it has its drawbacks: for example, the text message can be intercepted through a vulnerability in the protocol through which they are transmitted. Or, you may have no access to your phone/SIM card or just no coverage at a critical time.
- Entering the code that is generated in a separate authenticator application. Experts call this method more reliable. The user must first install one of these applications (for example, Google Authenticator, Twilio Authy, Duo Mobile), and then select the option of double authentication through the application in the menu of the desired service (for example, Facebook). A QR code will appear on the screen, which you need to scan through said application and immediately use it. There are some clear benefits of this method. The fact that it requires neither an internet connection nor a server sync is the most important one.
- Many services (for example, Facebook) also generate a number of backup codes for the user, which he or she can use if they, for example, find themselves without a mobile connection. To do this, you need to print out these codes in advance and save them in a safe place.
There are several other types of login confirmation that are used less frequently:
- Physical security keys: this device is in the form of a USB flash drive (it is sometimes equipped with NFC and Bluetooth interfaces). This type of key can be used to enter the same social networks, but such a serious approach makes more sense for storing very important data.
- Identity verification using biometrics. This method is not yet in widespread use.
There are two main algorithms used for 2FA: Time-based One-Time Password (TOTP) and HMAC-based One-Time Password (HOTP).
HOTP is somewhat simpler. Here’s how it works: Firstly, you enable 2FA by scanning a QR code or tapping a link in a respective app, such as Google Authenticator. Then, when you want to log in you generate a code and enter it.
But what is going on under the hood?
The QR code you scan encodes a random secret and some meta data. Both your phone and the server keep track of this secret and a counter value that starts at 0. Whenever you get a new code, your counter value goes up. When you send the code to the server, it checks what the next code is. If it matches, then it logs you in and updates its counter value. If you generate a code but don’t send it to a server, your counter value ends up being higher than the server’s count. So when the server checks this against the next counter value, it’ll find it invalid. Note that the server also checks this against the next 4-5 counter values (the lookahead window). If it’s a match, the server jumps its counter value to match yours and logs you in. The servers don’t accept codes with a sequence value lower than the one they’ve already accepted.
Now, how are codes generated? The HMAC-SHA-1 function is essential to this process. HMAC functions are typically used for verifying the authenticity of a signed message.
TOTP is very similar to HOTP, except it’s time-based. The code is based on the current time, not a sequence value.
The sequence value is derived from the current Unix time (number of seconds since January 1st, 1970) and the gap between codes (typically 30 seconds). Dividing the Unix time by the gap and rounding it down, you get the current sequence value. Passing it into the same code-generation function HOTP uses, you get the code. During authentication process, a new TOTP code is generated every 30 seconds.
TOTP codes are validates slightly differently than HOTP codes. The server checks if the provided code is within a certain window of the current time – typically a few minutes – and if it is within that window, it’s allowed. To prevent code reuse, the server stores the time of the last valid code and requires that any subsequent login attempts use a code from after that time.
TOTP is better than HOTP for almost all use cases. HOTP is now mainly used for older systems that don’t support TOTP and for embedded devices without a clock.
Now let’s take a look at how secrets are sent from the server to the authentication app. The simplest way is for the user to enter the code directly into a field. However, Google Authenticar also has a QR link option that contains all the needed OTP parameters.
Using 2FA with WordPress
If you are managing a WordPress site for yourself or a client, you will need to make sure that it is properly protected from hackers and other potential threats. So it makes sense to have an extra layer of protection for your admin accounts.
The two-factor authentication mechanism allows you to secure your WordPress account via a dedicated authentication plugin. This will allow you to use your mobile phone to log into your WP admin panel, and even if your username and passwords are exposed, no one can hack your site. These are some of the WP two-factor authentication plugins you can use:
- Google Authenticator,
- Duo Two-Factor Authentication,
- miniOrange Two-factor Authentication.
See the most popular ones here.
Also note that it is advisable to generate and store backup codes in case you lose access to your device.