Extended Brain Storage

Multi-Factor Authentication

Posted on June 14, 2019

A general introduction to multi-factor authentication with the emphasis on two-factor authentication and omitting biometrics...

Multi-factor Authentication

A multi-factor authentication (MFA) is an authentication method, which confirms users' claimed identities by using a combination of the following factors:

  1. knowledge-based: something they know (a password),
  2. ownership-based: something they have (a certificate, security token), or
  3. inherence-based: something they are (typically biometrics, not this case).

A two-factor authentication (2FA) uses a combination of two. The MFA/2FA methods are more secure than a password protected certificate, as compared with a password hash, which is located on a server only, a stolen certificate (or a private key) can be attacked offline. Furthermore, a malicious memory dump performed on a client system can potentially reveal unencrypted key.

Therefore, employing a one-time password instead of the usual password and combining it with password protected certificate increases the complexity for potential attackers, as a result of which the security of the system improves.

One-Time Password

A One-Time Password (OTP) system, as defined in RFC 2289, is an authentication mechanism for system access (login), which is secure against passive attacks based on replaying captured reusable passwords. OTP systems counter replay attacks, as they use passwords (usually automatically generated), which cannot be reused when captured. The OTP is delivered via SMS or e-mail, or displayed using a software/token to the user or machine.

The Initiative for Open Authentication (OATH) is an industry-wide collaboration to develop an open reference architecture using open standards to promote the adoption of strong authentication. Some of the cornerstones of the OATH are:

Message Authentication Code

A Message Authentication Code (MAC), sometimes referred to as a cryptographic checksum (or simply a tag), is a short piece of information used to authenticate a message. In other words, it provides

MACs are similar to cryptographic hash functions, while being resistant under chosen-plaintext attacks, and differ from digital signatures (s), as MAC values (m) are both generated and verified using the same secret key (K). The difference between digital signatures and MACs is as follows:

MAC algorithms can be constructed from the following cryptographic primitives:

As a result, various standards exist that define MAC algorithms.

Hash-based Message Authentication Code

A Hash-based Message Authentication Code (HMAC), as defined in RFC 2104, is a specific type of message authentication code (MAC) involving a cryptographic hash function (h) and a secret cryptographic key (K), which can be used to simultaneously verify both the data integrity and the authentication of a message, as with any MAC.

HMAC usage

Mixing the K and x values can be done in two ways:

General HMAC construction is as follows (using outer and inner hash, and '||' represents logical disjunction):

Taking care of padding of the keys (expanding keys denoted using the plus sign)


both ipad and opad of the size of the hash input length.

HMAC-based One-Time Password

The HMAC-based One-Time Password (HOTP) algorithm is an OTP algorithm based on hash-based message authentication codes (HMAC), it is defined in RFC 4226 and it is a freely available open standard.


The disadvantage of the HOTP is that it requires users to carry around an extra token-generating device.

Time-based One-Time Password

The Time-based One-Time Password (TOTP) algorithm is an extension of the HOTP generating a one-time password by taking uniqueness from the current time, and defined in RFC 6238 and is used in a number of two-factor authentication systems.

After both HOTP parameters as well as the following TOTP parameters have been established between the authenticated and authenticator,

both parties can compute the TOTP value as follows:

where (T is the current Unix time)

When compared to the HOTP, the main benefit of the TOTP is that rather than using a counter to synchronise with clients, it uses time (an initialisation time and a time step).

Available Software

Aegis is a free, secure and open source 2FA app for Android available from F-Droid or Google Play, and which supports the following algorithms:

andOTP is a FOSS that is available from F-Droid and Google Play, and which supports

freeOTP is a FOSS that is available from Google Play as well as from App Store, and which supports

Google Authenticator is a software-based authenticator that supports

Tags: #security #two-factor #multi-factor #authentication #HOTP #TOTP

⏴ Previous Post Next Post ⏵