MFA.pdf
Document Details
Tags
Full Transcript
Multi Factor Authentication Introduction to Authentication Factors Authentication is about providing proof of identit There are four broad categories of proof What you kno What you hav What you ar Where you ar Each method of proof is called a factor Multi-Factor Authent...
Multi Factor Authentication Introduction to Authentication Factors Authentication is about providing proof of identit There are four broad categories of proof What you kno What you hav What you ar Where you ar Each method of proof is called a factor Multi-Factor Authentication (MFA) MFA requires two or more factors to authenticate a use MFA is a superset of two-factor authentication (2FA MFA can require an arbitrary number of factor 2FA is limited to two factors Docsumo MFA Flow used to encode the secret key that is Docsumo MFA Flow When scanned, the authentication ap generating time-based one-time pas Request is sent to eevee/setup/mfa/?scope=one textEncoding and qrEncoding is generated and sent as response textEncoding (SECRET is also stored in the database in the user collection) Text Encoding: Random Key Generation: UUID `4F3C2A9B5E7D8A6F` Encoding the secret key: Base-32 Docsumo MFA Flow QR Encoding: scheme type otpauth://totp/ Docsumo:user_email_address? label secret=HAYGCZDBMY3DENBWGEZTIZTB& secret issuer=Docsumo issuer Docsumo MFA Flow QR Encoding: When scanned, the authentication app recognizes the format and saves the secret key for generating time- Secret based one-time passwords (TOTPs) Label Issuer Time-Based One-Time Password (TOTP) It is a method used to create a temporary password that changes over time. TOTP = HOTP(K, T) K is the secret key T is the time value calculated from the current Unix time. Docsumo MFA Flow Docsumo MFA Flow POST request is sent to /eevee/enable/mfa/?scope=one with mfa code The server has the secret and uses TOTP to generate a 6-digit code. If the generated code matches, it verifies the user's access and returns the recovery code. Login Flow MFA Enabled Account Request is sent to /eevee/validate/login/? type=email Login Flow MFA Enabled Account POST request is sent to /eevee/login/ With the payload email and mfa_code If correct info, then token is returned form server which logs the user in Reset MFA You can use it if you've lost the device where you set up the authenticator or accidentally removed the account from the authenticator app. Reset MFA Pressing reset, POST request is sent to /eevee/reset/mfa/recovery/single/ with payload recovery_code If the recovery code matches with the code present on the server then the response is returned as, Since, the reset was successful the user is asked to setup the mfa again.
