Understanding Two-Factor Authentication (2FA)

What is Two-Factor Authentication?

Two-Factor Authentication (2FA) is a security mechanism that requires users to provide two different types of identification before gaining access to an account or system. It adds an extra layer of protection beyond just a username and password.

The “two factors” typically come from different categories:

Something you know: password, PIN, security question
Something you have: phone, hardware token, authenticator app
Something you are: fingerprint, face recognition, voice

In this course, we use:

Factor 1: password (something you know)
Factor 2: TOTP code from an authenticator app (something you have)

Why Use 2FA?

Even strong passwords can be compromised through phishing, credential stuffing, or data breaches. 2FA ensures that a stolen password alone is not enough to access an account: the attacker would also need physical access to the user’s authenticator app.

This is particularly important for admin accounts in e-commerce applications, where a compromised account could expose customer data, modify products and pricing, or process unauthorized refunds. Requiring 2FA for admin users ensures that even if an admin password is stolen, the admin panel remains protected.

Many regulations (PCI-DSS, HIPAA, GDPR) require or recommend multi-factor authentication for accessing sensitive data.

How TOTP Works

TOTP (Time-based One-Time Password) is the algorithm behind apps like Google Authenticator and Authy.

The Process

The server generates a random secret key (a Base32 encoded string).
The secret is shared with the user via a QR code or manual entry.
Both the server and the authenticator app use the same formula to generate codes:
```
TOTP = HMAC-SHA1(secret, floor(current_time / 30))
```
The server accepts codes that match the current or adjacent 30-second windows.

Key Properties

Codes change every 30 seconds
Codes are 6 digits long
No internet connection is needed on the phone after initial setup
The secret is never transmitted after setup

Trusted Devices

Requiring a 2FA code on every login can be inconvenient, especially on personal devices. The “Trust this device” feature lets users skip 2FA verification on recognized devices for a set period (e.g., 30 days).

This works by storing a cryptographic token in a browser cookie and a corresponding record in the database. On subsequent logins, the middleware checks whether a valid, non-expired token exists before prompting for a 2FA code. If the token is valid, the user skips the verification step. If the token is missing, expired, or invalid, the user must verify with their authenticator app again.

Authentication Flow with 2FA

User Login Flow with 2FA:

1. User enters email/password
         |
         v
2. AuthMiddleware validates credentials
         |
         v
3. Session created with is_authenticated=true
         |
         v
4. TwoFactorMiddleware checks:
   - Does user have 2FA enabled?
   - Is there a valid trusted device cookie?
   - Has 2FA been verified this session?
         |
    +----+----+
    |         |
    v         v
5a. No 2FA   5b. 2FA Required
    |              |
    v              v
6a. Access     6b. Redirect to /2fa/verify
    granted         |
                    v
               7. User enters TOTP code
                    |
                    v
               8. Code validated
                    |
               +----+----+
               |         |
               v         v
           Invalid    Valid
               |         |
               v         v
           Retry    9. Mark verified in session
           (max 5)      |
                        v
                   10. Access granted

Libraries Used

This lab uses the robthree/twofactorauth ↗ library for TOTP generation and verification, along with bacon/bacon-qr-code ↗ for rendering QR codes that users scan with their authenticator app.